2016 Set to be A Record Breaking Year for Healthcare Data Breaches

Healthcare security breaches have been increasing steadily throughout the year and the trend has continued throughout quarter 3. More healthcare data breaches have been reported in July, August and September than in any other month of the year.

In fact, more healthcare data breaches have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) so far in 2016 than in all of 2009, 2010, 2011, 2012, and 2013. So far this year OCR has been informed of 243 healthcare data breaches.

The breach count for 2016 to date has almost reached the count for all of 2015 – when 269 protected health information breaches were reported to OCR. There are still just over two months left of the year, although 2016 is well on track to be the worst year for healthcare data breaches. On the positive side, the massive data breaches of 2015 have not been repeated in 2016.

To date, the health records of 14,310,091 individuals have been exposed or stolen. By this time last year, the victim count stood at 112,784,979 individuals spread across 226 security breaches.

Only 2014 – often referred to as the year of the healthcare data breach – has seen more data breaches discovered. By this point in 2014, 255 healthcare data breached had been reported to OCR with the final yearly count of 296 breaches. At the current rate, 2016 is likely to see the breach count rise to more than 300 incidents for the very first time.

September Breach Barometer Confirms Alarming Healthcare Data Breach Trend

The latest Breach Barometer Report from Protenus confirms the worrying trend. According to the report, which takes data from sources other than the OCR breach portal, shows the average number of healthcare data breaches per month in Q3 was 55% higher than the average monthly figures from the first half of the year. In Q3, the average number of healthcare data breaches had risen to 39.3 incidents per month from 25.3 breaches per month between January and June.

August was a particularly bad month for breaches, with major incidents announced by Banner Health (3,620,000 records) and Newkirk Products, Inc. (3,466,120 records). In September, the largest breach reported to OCR was the cyberattack on Central Ohio Urology Group, Inc. (30,000 records). The largest incident was a ransomware attack that affected 58,000 individuals, although that breach has yet to appear on the OCR breach portal.

The figures from Protenus – supplied by Databreaches.net – show 37 incidents were discovered in September. The victim count is known for 32 of those breaches. The total number of health plan members and healthcare patients known to have been impacted by health data breaches in September stands at 246,876 individuals.

In September, the largest cause of breaches was insiders, who caused 41% of breaches. The 15 incidents were evenly split between malicious acts (8) and accidental breaches (7).  50,695 records are known to have been exposed or stolen as a result of those incidents. The figures for two breaches are still unknown.

Hackers have continued to attack healthcare organizations. 12 hacking/malware incidents were reported in September that affected 154,814 individuals. Figures have not been released for two of those incidents.

For 22% of breaches the cause is unknown, while the loss and/or theft of devices and paper records accounted for 5% of breaches. 91.7% of breaches affected healthcare providers with two incidents reported by health plans and one by a business associate. Breaches affected 21 states, with California the worst hit with 11 incidents followed by Pennsylvania with 4.

The Protenus September Breach Barometer Report also shows the time between identification of a security breach and notification has reduced substantially since August, when it took an average of 558 days between discovery and the reporting the breach to OCR. In September, the average time had dropped to 151 days.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.