Share this article on:
Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen.
In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents. February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation.
The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven were the result of insider wrongdoing.
Hacking incidents made up 28% of the total and resulted in the theft or exposure of 600,270 records. 21% of incidents involved the loss or theft of physical records and devices containing ePHI. While loss and theft was responsible for the fewest data breaches, those incidents resulted in the exposure of the most records in March, with 737,131 individuals impacted by those incidents. The remaining 8% of breaches could not be categorized as the cause has not been disclosed.
Healthcare providers were the worst hit, registering 84.6% of the incidents. Four incidents were reported by health plans and there was one breach reported by a business associate.
Protenus reports that virtually all data breaches were reported within the 60-day window of the HIPAA Breach Notification Rule. There was a marked improvement in reporting times, taking an average of 45 days from the discovery of the breach to the submission of the breach report to the Department of Health and Human Services’ Office for Civil Rights. In February, the average time from the discovery of the breach to submitting a report to OCR was 478 days. In March, only two covered entities submitted late breach reports – one took 77 days and another took 89 days.
While California is usually the worst affected state, this month Texas gets that honor with 6 reported incidents. Tennessee, Pennsylvania, Kentucky, and Missouri each had three data breaches.