8.8 Million Healthcare Records Breached in August

August was a bad month for healthcare data breaches. More than 8.8 million patient and health plan member records were exposed or stolen. 8,804,608 to be precise. According to the latest installment of the Protenus Breach Barometer, the total number of healthcare records stolen or exposed this summer now exceeds 20 million.

In August, 44 breach reports were submitted to the Department of Health and Human Services’ Office for Civil Rights which relate to 42 separate incidents. That makes August the worst month so far this year for healthcare data breaches, and second worst in terms of the number of healthcare records exposed. Only June saw more records breached (11,061,649). The total number of breaches reported so far in 2016 is now up to 233.

The Breach Barometer shows that one of the biggest threats to healthcare data security is insiders. Insiders were responsible for causing 42.86% of the data breaches reported in August. Hacking – including ransomware attacks – was the second biggest cause of breaches accounting for 28.57% of incidents. Loss and theft of devices containing PHI was third accounting for 11.9% of breaches. The cause of 16.67% of breaches is unknown.

Healthcare providers were hit the hardest in August, being involved in 37 incidents and almost one in five breaches involved a business associate. Incidents involving business associates accounted for 47% of all breached records.

It is difficult to accurately gauge how quickly covered entities are discovering data breaches as not all CEs divulge the date of the breach, date of discovery, and when patients are notified. From the 13 data breaches included in the report that have divulged this information, 38% took longer than 60 days to discover the breach, although some were able to identify a breach within 20 days.

Under the Health Insurance Portability and Accountability Act, covered entities have up to 60 days following the discovery of a data breach to notify OCR and send breach notification letters to patients. In many cases, this issuing of breach notification letters is delayed.

Fortunately, many covered entities appear to be better prepared for breaches and were able to issue notifications well within the time frame allowed by the HIPAA Breach Notification Rule.

Covered entities based in 20 states reported breaches in August, although California was the worst hit with 6 reported incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.