HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hacking Responsible for 83% of Breached Healthcare Records in January

The latest installment of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that overall, at least 473,807 patient records were exposed or stolen in January, although the number of individuals affected by 11 of the 37 breaches is not yet known. The actual total is likely to be considerably higher, possibly taking the final total to more than half a million records.

The report shows insiders are continuing to cause problems for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.

While insiders were the main cause of breaches, the incidents affected a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be obtained for 8 of the 12 breaches. 7 incidents were attributed to insider error and five were due to insider wrongdoing.

Protenus has drawn attention to one particular insider breach. A nurse was discovered to have accessed the health information of 1,309 patients without authorization over a period of 15 months. If the healthcare organization had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been violated.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare organizations in January – 30% of all breaches. In contrast to insider incidents, these were not small breaches. They accounted for 83% of all breached records in January. One single hacking incident involved 279,865 records. That’s 59% of all breached records in the month.

In total, 393,766 healthcare records were exposed by hacks and other IT incidents. The final figure could be substantially higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which resulted in some of its applications being unavailable for several days. That incident could well be the biggest breach of the month.

Ransomware attacks are still a major problem in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in at least two breaches.

The loss or theft of electronic devices containing ePHI or physical records accounted for 22% of the breaches. Two incidents involving the loss of patient records impacted 10,590 individuals and four out of the six theft incidents impacted 50,929 individuals. The number of individuals affected by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been disclosed.

The types of breached entities followed a similar pattern to previous months, with healthcare providers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other entities.

Information on the length of time it took to detect breaches was only obtained for 11 of the 37 incidents. The median time from the incident to detection was 34 days and the average was 252 days. The average was affected by one incident that took 1445 days to discover.

The median time from discovery of a breach to reporting the incident was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare organizations took longer than 60 days to report their breaches, with one taking more than 800 days.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.