Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends.

The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting tool, but also media reports of incidents and public findings. Prior to inclusion in the report, all breaches are independently confirmed by The Breach Barometer reports delve into the main causes of data breaches reported by healthcare providers, health plans and their business associates.

In a webinar on Wednesday, Protenus Co-Founder and president Robert Lord and Dissent of discussed the findings of the mid-year review.

Lord explained that between January and June 2017 there have been 233 reported data breaches. Those breaches have impacted 3,159,236 patients. The largest reported breach in the first half of the year resulted in the theft of 697,800 records and was caused by a rogue insider – one of 96 incidents involving insiders.

Out of those 96 incidents, 57 were due to insider error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified.

Insider incidents are likely to be far higher than the figures in the Breach Barometer report. Dissent explained that many incidents are not being disclosed publicly or reported to HHS. One of the best examples being misconfigured MongoDB databases. Dissent explained that many organizations have not reported that protected health information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the Internet. When these incidents are reported, they are often reported to HHS as hacking incidents, even though the root cause is human error.

The first six months of the year saw 75 hacking incidents and 29 ransomware incidents reported. As was explained, ransomware incidents are similarly underreported, even though OCR has made it clear that ransomware attacks are reportable breaches. The true figure is likely to be far worse.

The breakdown for the year was 41% of incidents caused by insiders, 32% due to hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches is still unknown.

Hacking may be the second biggest cause of breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unknown causes.

To put the figures into perspective, between January and December 2016 there were 450 incidents reported. Data breaches have been occurring at a similar rate to last year. While the number of reported incidents has remained fairly constant, there has been an increase in the severity of those breaches with this year likely to see far more individuals impacted by breaches than last year.

Last year, approximately 2 million patients were affected by insider incidents. This year, 1.17 million individuals have already been impacted by insider incidents. Hacking incidents are also up. Last year there were 120 confirmed hacking incidents for the entire year. This year there have already been 75 reported incidents.

In June, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second biggest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the breaches, with 729,930 records confirmed as exposed or stolen.

Robert Lord explained that the time from the initial breach date to discovery is particularly bad in the healthcare industry. The mean time to discover a breach was 325.6 days, with a median of 53 days. Healthcare organizations are not discovering breaches quickly enough. Fast detection can greatly reduce the harm caused to patients, and as the Ponemon Institute has shown, also the cost of mitigation.

There is some good news however. The time taken to report breaches to OCR has improved over the past 6 months. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

So, what does the rest of 2017 has in store? Dissent explained that 2017 has been a “no good, horrible, very bad year.” Unfortunately, there is no indication that the rest of the year will be any better. The next six months are likely to be just as bad, and 2017 may surpass last year for both the number of breaches and the number of patients impacted by those incidents.

While other industry sectors have hacking/malware as the main breach cause, insider incidents are the biggest problem for the healthcare industry. Healthcare organizations need to take steps to prevent these breaches. As Robert Lord explained, technologies can be deployed to help prevent insider incidents and detect them promptly when they occur.

One of the most important take home messages from the report is that people’s lives are seriously affected by healthcare data breaches. More must be done to prevent breaches and ensure they are detected promptly. Fast detection and notification allows patients and health plan members to take action to reduce the harm caused.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.