HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2020 Protenus Breach Barometer Report Reveals 49% Increase in Healthcare Hacking Incidents

According to the 2020 Protenus Breach Barometer report, there were 572 healthcare data breaches of 500 or more records in 2019 and at least 41.4 million patient records were breached. That represents a 13.7% annual increase in the number of reported breaches and a 174.5% increase in the number of breached records.

The final total for 2019 is likely to be considerably higher, as the number of individuals affected by 91 of those breaches is not known, including two major breaches that have yet to be reported that affected more than 500 dental offices throughout the United States.

The 2020 Protenus Breach Barometer report, produced in conjunction with databreaches.net, was compiled from breaches reported to the HHS’ Office for Civil Rights, the media, and other sources. The report shows a dramatic rise in the number of hacking incidents in 2019, which were up 49% from 2018. 58% of all reported breaches in 2019 were hacking/IT incidents and at least 36,911,960 records were exposed or stolen in those breaches.

“It appears hacking incidents, particularly ransomware incidents, are on the rise; hackers are getting more creative in how they exploit healthcare organizations and patients alike,” explained Protenus in the report.

Please see the HIPAA Journal Privacy Policy

There has been a significant increase in healthcare ransomware attacks in 2019 and worrisome new trends are emerging. Prior to file encryption, some ransomware gangs have started exfiltrating patient data and threats are being issued to publish that data if the ransom is not paid. There have been several cases where data has been published to encourage victims to pay. One threat group even sent ransom demands to patients demanding payment to prevent the publication of their data, in addition to a ransom demand sent to the covered entity.

The largest data breach of the year was the hacking of American Medical Collection Agency. That single breach impacted multiple healthcare providers and resulted in the theft of more than 20 million patients’ PHI. The 7-month breach was only discovered when patient data was found listed for sale on a dark web marketplace.

Insider data breaches, due to human error and insider wrongdoing, fell by 20% in 2019. Protenus has attributed the reduction to increased adoption of healthcare compliance analytics to detect anomalous behavior as well as improvements to employee education on how to prevent privacy violations.

While this is encouraging, the severity of insider incidents increased in 2019 with 3,800,312 records exposed in insider breaches compared to 2,793,607 records in 2018. 72 of the incidents were confirmed as the result of insider error and 35 incidents were due to insider wrongdoing. 3,659,962 records were breached as a result of human error and 136,566 records were breached in insider wrongdoing incidents.

Healthcare organizations are getting better at detecting breaches. The average time to discover a breach was 255 days in 2018. In 2019, it took an average of 225 days.  The median detection time was 44 days. Several insider breaches took more than 4 years to discover, highlighting the need for AI-based solutions that can detect abnormal user activity.

The HIPAA Breach Notification Rule requires data breaches to be reported within 60 days of discovery, yet in 2019 it took an average of 80 days for breaches to be reported, up from 73 days in 2018.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.