Analysis of Q4 2017 Healthcare Security Breaches
Q4, 2017 saw a 13% reduction in healthcare security breaches reported to the Department of Health and Human Services’ Office for Civil Rights. There were 99 data breaches reported in Q3, 2017. In Q4, there were 86 security breaches reported.
There were 27 healthcare security breaches reported in September, following by a major decline in breaches in November, when 21 incidents were reported. However, December saw a significant uptick in incidents with 38 reported breaches.
Accompanied by the quarterly decline in security incidents was a marked decrease in the severity of breaches. In Q3, there were 8 data breaches reported that impacted more than 50,000 individuals. In Q4, no breaches on that scale were reported. The largest incident in Q4 impacted 47,000 individuals.
Largest Q4, 2017 Healthcare Security Breaches
|Covered Entity||Entity Type||Number of Records Breached||Cause of Breach|
|Oklahoma Department of Human Services||Health Plan||47000||Hacking/IT Incident|
|Henry Ford Health System||Healthcare Provider||43563||Theft|
|Coplin Health Systems||Healthcare Provider||43000||Theft|
|Pulmonary Specialists of Louisville, PSC||Healthcare Provider||32000||Hacking/IT Incident|
|SSM Health||Healthcare Provider||29579||Unauthorized Access/Disclosure|
|UNC Health Care System||Healthcare Provider||27113||Theft|
|Emory Healthcare||Healthcare Provider||24000||Unauthorized Access/Disclosure|
|Franciscan Physician Network of Illinois and Specialty Physicians of Illinois, LLC (formerly known as WellGroup Health Partners, LLC)||Healthcare Provider||22000||Loss|
|Chase Brexton Health Care||Healthcare Provider||16562||Hacking/IT Incident|
|Hackensack Sleep and Pulmonary Center||Healthcare Provider||16474||Hacking/IT Incident|
|Longs Peak Family Practice, P.C.||Healthcare Provider||16238||Hacking/IT Incident|
|Shop-Rite Supermarkets, Incorporated||Healthcare Provider||12172||Improper Disposal|
|Sinai Health System||Healthcare Provider||11347||Hacking/IT Incident|
|The Medical College of Wisconsin, Inc.||Healthcare Provider||9500||Hacking/IT Incident|
|Golden Rule Insurance Company||Health Plan||9305||Unauthorized Access/Disclosure|
There was a steady increase in breached records each month in Q4. In October, 71,377 records were breached, rising to 107,143 records in November and 341,621 records in December. Even December’s high total was lower than any month in the previous quarter. Over the quarter, the records of 520,141 individuals were exposed/stolen
Hacking/IT incidents tend to involve the highest number of exposed/stolen records and Q4 was no exception. 7 of the top 15 security incidents (47%) were due to hacks and IT incidents. Loss and theft incidents accounted for 27% of the worst healthcare security breaches in Q4, followed by unauthorized access/disclosures on 20%.
While hacking/IT incidents resulted in the exposure/theft of the most records, unauthorized access/disclosure incidents were the most numerous. Out of the 86 reported healthcare security breaches in Q4, 33 were unauthorized access/disclosures (38.37%). There were 29 hacking/IT incidents (33.7%), and 20 incidents (23.3%) involving the loss/theft of PHI and electronic devices containing ePHI. Four incidents (4.7%) involved the improper disposal of PHI/ePHI.
In Q4, paper records/films were involved in the most breaches, showing how important it is to physically secure records. 21 incidents (24.4%) involved physical records. As was the case in Q3, email was also a top three cause of breaches, with many healthcare organizations suffering phishing attacks in Q4. Network server attacks completed the top three locations of breached PHI.
Healthcare providers reported the most security breaches in Q4, following by health plans and business associates of HIPAA-covered entities, as was the case for most of 2017.
In Q4, 2017, healthcare organizations based in 35 states reported security breaches. Unsurprisingly, being the most populous state in the US, California topped the list for the most reported healthcare security breaches with 7 incidents in Q4.
In close second on 6 breaches were Florida and Maryland, followed by New York with 5 incidents. Kentucky, Michigan, and Texas each had four reported breaches, and Colorado, Illinois, New Jersey, and Pennsylvania each suffered 3 incidents.