Share this article on:
Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR).
The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities.
However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day.
Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were exposed in November, down 317,894 from the previous month.
November was something of an atypical month due to the nature of reporting of healthcare data breaches. Had the data breaches at Ambucor Health Solutions and EMR4All/Rehab Billing Solutions been reported as single breaches, the breach total for the month would have stood at 39. Still a particularly bad month, but not as bad as August.
As it was, the incidents were reported to OCR separately by each organization that was affected. There were 11 incidents reported by organizations impacted by the Ambucor Health Solutions breach and a further 9 reported by entities affected by the breach at EMR4All/RBS, according to DataBreaches.net, which provided the data for the Protenus report.
Recent surveys have suggested IT professionals are more concerned about insider breaches than cyberattacks by hackers and with good reason. The Breach Barometer report shows how serious the threat of insider breaches is. In November, 54.4% of healthcare data breaches were caused by insiders. 17 breaches were accidental breaches by healthcare employees and 14 were the result of malicious actions by employees with access to PHI.
There were 9 incidents that involved hackers, which was an improvement on October when 14 incidents were attributed to hacking. Ransomware was involved in 3 security breaches reported in November. TheDarkOverlord, who has previously attempted to extort money from a number of healthcare providers after stealing their data, was involved in one incident.
Healthcare providers once again were the worst hit, registering 40 incidents – 70% of incidents – followed by health plans with 11. Business associates reported three breaches, although they were involved to some degree in at least 44% of the breaches reported in November.
Protenus calculated the average time taken to report incidents to OCR to be 135 days from the date of discovery. 65% of breaches were reported after the 60-day window allowed by the HIPAA Breach Notification Rule, most of which were entities affected by the Ambucor breach. The breaches in November were also widespread, with affected entities based in 24 different states.
According to Databreaches.net, the entities involved in the breaches in November were:
|Aetna Signature Administrators||Business Associate|
|AON Hewitt||Business Associate|
|Austin Pulmonary Consultants||Healthcare Provider|
|Bay Sleep Clinic||Healthcare Provider|
|Berkshire Medical Center||Healthcare Provider|
|Best Health Physical Therapy, LLC||Healthcare Provider|
|Biomechanics LLC||Healthcare Provider|
|Briar Hill Management||Business Associate|
|Briar Hill Management||Business Associate|
|Broward Health: Broward Health Imperial Point||Healthcare Provider|
|Camas Center Clinic, Kalispel Tribe of Indians||Healthcare Provider|
|Carolina Cardiology Consultants (Greenville Health System)||Healthcare Provider|
|Charleston Area Medical Center||Healthcare Provider|
|CHI Franciscan Health||Healthcare Provider|
|Cleveland Clinic Akron General||Healthcare Provider|
|Command Marketing Innovations||Business Associate|
|Conemaugh Physician Group Cardiology||Healthcare Provider|
|Consultants in Neurological Surgery, LLP||Healthcare Provider|
|Eye Institute of Marin||Healthcare Provider|
|GHI (Emblem Health)||Health Plan|
|Glendale Adventist||Healthcare Provider|
|Harrisonburg OB GYN Associates, P.C.||Healthcare Provider|
|Horizon BCBS & UnitedHealth Group||Health Plan|
|Horizon Blue Cross Blue Shield of New Jersey||Health Plan|
|HP Enterprise Services, LLC||Business Associate|
|Indiana Family and Social Services Administration -Indiana Health Coverage Program||Health Plan|
|Irvine Company||Business Associate|
|Kaiser Foundation Health Plan||Health Plan|
|Kaiser Permanente Health Plan – N. Cal||Health Plan|
|Kaiser Permanente Health Plan- S. Cal||Health Plan|
|KinetoRehab Physical Therapy, PLLC||Healthcare Provider|
|La Gloria Pharmacy||Healthcare Provider|
|LCS Westminster Partnership IV, LLP d/b/a Sagewood||Healthcare Provider|
|Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology)||Healthcare Provider|
|Lenox Hill Heart and Vascular Institute||Healthcare Provider|
|Lister Healthcare||Healthcare Provider|
|Louisiana Health Cooperative, Inc. in Rehabilitation||Health Plan|
|Luque Chiropractic||Healthcare Provider|
|Main Line Health||Healthcare Provider|
|Managed Health Services||Health Plan|
|Marin Medical Practice Concepts, Inc.||Business Associate|
|New Mexico Heart Institute||Healthcare Provider|
|North Texas Heart Center, P.A||Healthcare Provider|
|OC Gastrocare||Healthcare Provider|
|OptumHealth New Mexico||Health Plan|
|Pikeville Medical Center||Healthcare Provider|
|Pinellas County Board of County Commissioners||Health Plan|
|Primerica||Business Associate (Financial Services)|
|Seguin Dermatology||Healthcare Provider|
|Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System||Healthcare Provider|
|Unnamed cleaning service||Business Associate|
|Unnamed vendor||Business Associate|
|Unnamed vendor + UPS||Business Associate|
|Vanderbilt U. Psychological & Counseling Center||Healthcare Provider|
|Vascular Surgical Associates||Healthcare Provider|
|Vein Specialists of Northwest Georgia||Healthcare Provider|
|Vision Care Florida, LLC||Healthcare Provider|
|WADA and USADA||Anti-Doping Agency|
|Wal-Mart Stores, Inc.||Healthcare Provider|
|Washington Department of Social and Health Services- Aging and Disability Services||Healthcare Provider|
|Watsonville Chiropractic (David W. Christie, D.C.)||Healthcare Provider|
|Wentworth-Douglass Hospital||Healthcare Provider|
|Young Adult Institute, Inc.||Healthcare Provider|