Fall in Healthcare Data Breaches in August: Rise in Breach Severity
Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day.
August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected.
The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date.
Throughout the year, insider incidents have dominated the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has continued in August with hackers responsible for 54.5% of all reported data breaches. Those incidents accounted for 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware incidents. There were at least five reported data breaches in August that involved ransomware.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In August, insiders were responsible for 9 incidents – 27.3% of the total – seven of which were insider errors, with two incidents due to insider wrongdoing. 15.2% of breaches were the result of the loss or theft of unencrypted devices containing PHI.
While breaches of electronic protected health information dominated the breach reports, there were six incidents reported that involved physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.
Protenus notes that while healthcare organizations appear to be getting better at discovering data breaches more quickly, the figures for the past two months may be misleading. Alongside the decrease in time taken to identify breaches there has been an increase in hacking incidents, which tend to be discovered faster than insider breaches.
Protenus explains, “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider breaches.
Organizations are reporting breaches to HHS and notifying patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those entities took 177 days from the discovery of the breach to report the incident to HHS. The average time was 53 days and the median time was 58 days.
The breach reports followed a similar pattern to most months, with healthcare providers experiencing the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other entities, including a pharmacy and a private school. Texas was the worst affected state in August with five breaches, followed by California with four, and Ohio and New York with three apiece.
