HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Fall in Healthcare Data Breaches in August: Rise in Breach Severity

Healthcare data breaches have fallen for the second month in a row, according to the latest installment of the Breach Barometer report from Protenus/Databreaches.net. In August, there were 33 reported healthcare data breaches, down from 36 incidents in July and 56 in June. While the reduction in data breaches is encouraging, that is still more than one healthcare data breach per day.

August may have been the second best month of the year to date in terms of the number of reported incidents, but it was the third worst in terms of the number of individuals impacted. 575,142 individuals were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise further still, since two incidents were not included in that total since it is not yet known how many individuals have been affected.

The worst incident of the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the year to date.

Throughout the year, insider incidents have dominated the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has continued in August with hackers responsible for 54.5% of all reported data breaches. Those incidents accounted for 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware incidents. There were at least five reported data breaches in August that involved ransomware.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

In August, insiders were responsible for 9 incidents – 27.3% of the total – seven of which were insider errors, with two incidents due to insider wrongdoing. 15.2% of breaches were the result of the loss or theft of unencrypted devices containing PHI.

While breaches of electronic protected health information dominated the breach reports, there were six incidents reported that involved physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.

Protenus notes that while healthcare organizations appear to be getting better at discovering data breaches more quickly, the figures for the past two months may be misleading. Alongside the decrease in time taken to identify breaches there has been an increase in hacking incidents, which tend to be discovered faster than insider breaches.

Protenus explains, “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider breaches.

Organizations are reporting breaches to HHS and notifying patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those entities took 177 days from the discovery of the breach to report the incident to HHS. The average time was 53 days and the median time was 58 days.

The breach reports followed a similar pattern to most months, with healthcare providers experiencing the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other entities, including a pharmacy and a private school. Texas was the worst affected state in August with five breaches, followed by California with four, and Ohio and New York with three apiece.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.