Major 2016 Healthcare Data Breaches: Mid Year Summary

Cyberattacks on healthcare organizations are now a fact of life. As long as it remains profitable for hackers to conduct attacks on healthcare organizations, the cyberattacks will continue. Given the volume of healthcare data breaches now being reported, it is clear that the healthcare industry must do more to strengthen defenses against cyberattacks, insider threats. To do that, healthcare organizations need to look beyond HIPAA compliance.

Healthcare organizations had a torrid time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being published by the Office for Civil Rights. Some of the cyberattacks on healthcare providers and health insurers resulted in staggering amounts of data being stolen.

Major 2016 Healthcare Data Breaches

Until the last week in June it looked like the healthcare industry had avoided mega data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first half of the year came to an end, a hacker offered a 9.3-million record database for sale on a Darknet marketplace.

Other large-scale data breaches in 2016 include the cyberattack on 21st Century Oncology – A Fort Myers, Florida-based provider of cancer treatment. That attack potentially resulted in the accessing and theft of 2,213,597 patients’ records.

In February, 2016, Florida-based Radiology Regional Center, PA., reported a breach of 483,063 patients’ PHI. The breach did not involve a hacker in this instance, instead the data exposure occurred when patient files fell from a vehicle that was transporting the files to be incinerated.

In May, California Correctional Health Care Services announced the potential exposure of 400,000 health records when an unencrypted laptop computer was stolen. A stolen laptop containing ePHI was also reported by Premier Healthcare, LLC., in April. The device theft resulted in the exposure of 205,748 patient records.

Community Mercy Health Partners also reported a breach of more than 100,000 patient records. Files containing the protected health information of 113,528 patients were discovered in a recycling bin in Springfield, Ohio.

Healthcare records were also potentially obtained as a result of a malware infection at EMR management company Bizmatics. It is not yet clear exactly how many patients were affected by that breach, although current figures indicate more than 265,000 individuals have been impacted.

In total, 142 healthcare data breaches involving more than 500 records have been reported to the Department of Health and Human Services’ Office for Civil Rights so far in 2016. During the same period in 2015, 143 data breaches were reported.

While not all data breaches may yet have made it onto the OCR breach portal, the current breach reports show how healthcare records are being exposed.

  • 48 data breaches were reported as unauthorized access
  • 43 data breaches were attributed to hacking or network server incidents
  • 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
  • 4 breaches were due to the improper disposal of records

In terms of the records that were stolen or exposed:

  • 60% were due to hacking (2,703,961 records)
  • 78% were due to loss/theft (1,342,125 records)
  • 6% were the result of unauthorized access or disclosure (342,748 records)
  • 63% were the result of improper disposal (118,594 records)

More Than 11 Million Healthcare Records Exposed in June 2016

Figures from the Department of Health and Human Services’ Office for Civil Rights show 95,251 healthcare records were exposed or stolen in June 2016; however, there have been additional large scale data breaches that have yet to appear on the OCR breach portal.

The series of hacks by TheDarkOverlord have yet to be added to the OCR breach portal. Add in the healthcare records that were stolen in those attacks, and others that have yet to make it onto the breach portal and the total number of records exposed in June rises to 11,061,649, according to figures published in a recent Protenus report. The June figures are more than five times as high as the total number of healthcare records that were exposed in the first five months of the year. Between January and May, 2016., 2,136,810 healthcare records were exposed.

The Protenus report indicates 41.4% of breaches in June were the result of hacking and the same percentage were caused by insider theft and errors. The theft or loss of paper copies of patients PHI or devices containing ePHI accounted for 17.2% of breaches in June.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.