HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Data Breaches in September Saw Almost 500K Records Exposed

Protenus has released its Breach Barometer report which shows there was a significant increase in healthcare data breaches in September. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and security incidents tracked by databreaches.net. The latter have yet to appear on the OCR ‘Wall of Shame.’

In total, Protenus/databreaches.net tracked 46 healthcare data breaches in September. While the total number of breach victims has not been confirmed for all incidents, at least 499,144 healthcare records are known to have been exposed or stolen. The number of records exposed or stolen in four of the month’s breaches has yet to be disclosed.

The high number of incidents makes September the second worst month of 2017 for healthcare industry data breaches. Only June was worse, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare organizations.

The report confirms the worst incident of the month was a ransomware attack that saw the records of 128,000 individuals made inaccessible. It is not known if those records were accessed or stolen.

The main causes of healthcare data breaches in September were hacking (50%) and insiders (32.6%). The hacking total includes extortion attempts by TheDarkOverlord hacking group, ransomware incidents, and malware attacks. Hacking incidents accounted for 80% of breached records for the month – 401,741 records – although figures for 4 of the incidents have not yet been disclosed. The hacking incidents in September included one confirmed ransomware incident, eight extortion attempts, and seven phishing attacks.

The 15 insider incidents resulted in the exposure of 73,926 records. Those incidents included six insider errors and eight instances of insider wrong doing. Four theft incidents were reported which impacted 17,295 patients.

The breaches occurred at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered entities, and 3 schools, with California the worst affected with 5 incidents.

While most healthcare organizations discovered their data breaches within 6 weeks – the medial time for discovery was 38 days – it took one healthcare provider 2108 days to discover that one of its employees had been improperly accessing medical records.

Most healthcare organizations reported their breaches inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions. One healthcare organization took 249 days to report its breach, risking a significant HIPAA violation penalty.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.