Share this article on:
Protenus has published its February Healthcare Breach Barometer Report. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights or disclosed to the media in February 2018.
The report, compiled from data collected from databreaches.net, indicates at least 348,889 healthcare records were confirmed as breached in February, although that figure will be considerably higher as the number of people affected by 11 breaches is not yet known. There were 39 security breaches involving protected health information in February – a slight rise from the 37 breaches reported in January, although the number of records exposed was down from January’s total of 473,807 records.
Insider breaches continue to pose problems for healthcare providers with 16/39 incidents (41%) involving insiders. Those incidents resulted in the exposure/theft of 51% of all records confirmed as having been exposed or stolen in February. Protenus notes that 94% of insider breaches were the result of errors by healthcare employees, with only one confirmed breach involving insider wrongdoing.
Hacking accounted for 33% of data breaches and resulted in the exposure of 46% of the records exposed in February, although the number of people affected by five hacking incidents is not yet known. Out of the hacking/IT incidents, four were confirmed as involving malware or ransomware, including the largest breach of the month – the 135,000-record breach at St. Peter’s Surgery & Endoscopy Center in New York. There were two incidents confirmed as involving phishing. Theft/loss incidents accounted for 13% of all breaches and the cause of 13% of breaches is currently unknown.
Healthcare providers reported 23 breaches, health plans reported eight incidents, business associates reported four incidents, and businesses/other vendors reported four breaches. The breach reports submitted to the Office for Civil Rights only suggest two business associate breaches occurred, although the Protenus report has revealed there were 11 incidents with some business associate/vendor involvement.
Protenus notes that it took an average of 325 days from the date of the breach to the incident being discovered with a median detection time of 34 days. The average was high due to one insider breach taking more than four years to discover. The average time from discovery to reporting was 68 days with a median of 59 days. Six organizations reported the breaches later than the 60-day maximum time frame allowed by HIPAA.
California was the worst affected by healthcare data breaches in February with six incidents followed by Wisconsin and Georgia on three. Healthcare data breaches were reported by organizations in 22 states and Puerto Rico in February.
Protenus notes that while the number of people affected by healthcare data breaches fell to a four year low in 2017, the number of data breaches has not reduced. Healthcare data breaches are still occurring at a rate of more than one per day.