Share this article on:
Protenus has released its November healthcare data breach report – a summary of healthcare data breaches reported by HIPAA-covered entities. The report shows there has been a month on month fall in healthcare data breaches, and a major reduction in the number of records exposed by data breaches.
November saw the lowest total of the year to date for breaches with 28 incidents included in the report – four incidents fewer than February, the previous best month when 32 breaches were reported. This is the second consecutive month when reported breaches have fallen. There were 46 breaches reported in September and 37 in October.
November was also the best month of the year in terms of the number of records exposed. 83,925 individuals were impacted by healthcare data breaches in November. The previous lowest total was May, when 138,957 records were exposed. November was the third consecutive month where the number of breached records fell.
While the November healthcare data breach report offers some good news, the fall in breaches and breached records should be taken with a large pinch of salt. Healthcare organizations have a maximum of 60 days to report breaches, so the figures do not indicate there has been a reduction in incidents. Also, figures have only been obtained for 25 of the 28 breaches. As Kira Caban, Director of Public Relations at Protenus, notes, “The number of both data breach incidents and affected patient records are lower than any other month thus far in 2017, but it may also just indicate that people wanted to get ready for Thanksgiving, so they delayed reporting.”
In November, insider breaches outnumbered hacking incidents with nine incidents (32%) due to insiders with eight incidents attributed to hacking (28%). 25% of breaches involved the loss or theft or records or devices containing ePHI. Seven of the breaches involved paper records.
The November healthcare data breach report shows hacking incidents resulted in the highest number of exposed records by a nose -36,804 records. Insider incidents resulted in the exposure of 36,447 records: 27,228 due to insider error and 9,219 due to insider wrongdoing. 5,324 records were exposed due to the theft or loss of physical records or devices containing unencrypted ePHI.
As is typical, healthcare providers reported the most breaches (82.1%), followed by health plans (10.7%). Three incidents (3.6%) are known to have involved business associates of HIPAA-covered entities.
It is difficult to make a determination whether healthcare organizations managed to discover breaches more quickly, as figures were only available for four incidents. The average time to detect a breach was 55 days, with a median of 33 days. One breach took 153 days to discover.
Data are better for the time to report breaches. The median time to report the incidents to HHS was 57 days, with an average time of 61 days. The figures show healthcare organizations are still waiting until the last minute to report breaches. It should be noted that while HIPAA allows up to 60 days to report data breaches, incidents should be reported without unnecessary delay, and well within that 60-day window. At least three covered entities have risked a financial penalty for delayed breach notifications, with one taking 134 days to report the breach.
While California is usually the state with the most reported breaches, that unenviable accolade was taken by Kentucky in November, with three reported breaches. Healthcare organizations based in Massachusetts, Texas, Colorado, Indiana, Florida, and California each reported two breaches.