Share this article on:
Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.
The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.
The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.
According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.
In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.
The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.
Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.
Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.
Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.
Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.
Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.
Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.
Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.
Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.
Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.