Leading Cause of Healthcare Data Breaches in April was Hacking

The monthly Breach Barometer Report from Protenus shows a significant reduction in the number of exposed healthcare records in April, with 232,060 records exposed compared to more than 1.5 million in March. The number of reported data breaches also fell from 39 to 34.

The report offers some further good news. The time taken by healthcare organizations to report security incidents also fell last month. 66% of breaches were reported within the 60-day time period allowed by the Health Insurance Portability and Accountability Act Breach Notification Rule. While it is good news that the trend for reporting data breaches more promptly is continuing, there is still plenty of room for improvement.

Protenus reports that in April, it took an average of 51 days from the date of the breach to discovery, and an average of 59 days from the discovery of a breach to the submission of a breach report to the HHS’ Office for Civil Rights.

The data for the Protenus Breach Barometer report was supplied by Databreaches.net, which uncovered one of the worst breaches of the year to date. The theft of psychotherapy notes, substance abuse histories, health histories and the personally identifiable information of 4,229 patients of Bangor Health Center in Maine. That incident was one of 16 hacking incidents reported in April.

Hacking/IT incidents were cited as the cause of 47% of data breaches reported in April, followed by insider incidents (29%), and loss and theft of devices/PHI (15%). The cause of 9% of the breaches is currently unknown.

Hacking was the cause of the largest data breach of the month. The incident, which was reported by Harrisburg Gastroenterology, affected 93,323 individuals.

Out of the 16 hacking/IT incidents reported in April, five were related to ransomware infections and three incidents were phishing attacks. There were five breaches due to insider errors and four incidents involving insider wrongdoing.

While the majority of data breaches involved electronic protected health information, healthcare organizations must ensure appropriate controls are in place to secure physical PHI. Five of the breaches reported in April involved the theft or exposure of physical PHI.

There were two business associate data breaches in April and two reported by health plans. The majority of the breaches (79.41%) were reported by healthcare providers.

Texas was the worst affected state with 4 breaches, followed by Michigan, Ohio and New York, each with three incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.