Healthcare Data Breaches Fell in October

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen.

The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the number of exposed records increased from 246,876 in September to 776,533 records in October. The final victim count for the month could be considerably higher as while 35 breaches were reported, the number of individuals impacted by four of those incidents is not yet known.

There were some notable IT security incidents reported last month:

Four healthcare organizations reported being attacked with ransomware in October. Three of those incidents resulted in a permanent loss of healthcare data. Two organizations attempted to recover data from backups, only for the backup recovery process to fail, while one healthcare organization reported data loss as a direct result of the infection. The extent of data loss in each of these incidents was not disclosed publicly.

Two healthcare organizations were subject to extortion attempts after data were stolen. The organizations in question were told that the stolen data would be published or sold if payment was not made to the attacker.

The hacker responsible for those attacks was The Dark Overlord, who has previously hacked a number of healthcare organizations and held their data to ransom. While The Dark Overlord claims to have been paid by some healthcare organizations, there is no evidence of any payments actually being made according to Dissent of Some of the stolen data have been dumped online and listings have been placed on darknet marketplaces offering the stolen data for sale.

Hacking and ransomware/malware infections were the main causes of healthcare data breaches in October, accounting for 40% of all data breaches. Those breaches were the most severe and accounted for the majority (86%) of stolen/exposed records for the month. (664,549/776,533).

Hacking and ransomware attacks were closely followed by accidental and deliberate insider breaches. 37% of October healthcare data breaches were due to insiders. Those incidents impacted 79,974 individuals. Two insider breaches occurred for which the victim count is not yet known.

The majority of breaches (82.8%) involved healthcare providers, followed by business associates of covered entities (8.6%), health plans (5.7%), and health information exchanges (2.9%). For the second month running, California was the worst hit state, recording 4 healthcare data breaches.

According to Robert Lord, Co-Founder & CEO of Protenus,”A few things stand out as particularly interesting this month.  First, there were the public reports of data loss due to ransomware, which confirmed the rumors that ransomware payments aren’t always leading to recovered data.  Second, the continued consistency of insider threats demonstrates the critical necessity of thinking about how we can mitigate these types of health data breaches and HIPAA violations.”

While it is certainly good news that the downward trend in breaches is continuing, this does not necessarily mean that healthcare organizations are getting better at securing protected health information. As Lord explains, “while breach numbers aren’t as high as the catastrophic numbers of the summer, we don’t see the fundamentals of a severely-threatened health data landscape changing anytime soon.”

The Protenus Breach Barometer is a monthly report of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media or other trusted online sources.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.