Protenus Report Highlights Extent of Insider Breaches in Healthcare

The quarterly breach barometer report from Protenus provides insights into the extent to which insiders are violating HIPAA Rules and snooping on patient health information.

The Breach Barometer report is compiled using breach data supplied by and proprietary data collected through the artificial intelligence platform developed by Protenus that allows healthcare organizations to track and analyze employee EHR activity.

Insider breaches are a major problem in healthcare, yet many insider breaches go undetected. When insider breaches are identified, it is often months after the breach has occurred. One healthcare employee was recently discovered to have been accessing medical records without authorization for 14 years.

1.13 Million Patient Records Exposed in Q1, 2018

The latest Breach Barometer report shows the records of 1,129,744 patients and health plan members has been viewed by unauthorized individuals, exposed, or stolen in the first quarter of 2018. Data breaches occurred at a rate of more than one per day, with 110 healthcare data breaches reported in Q1.

Data breaches are typically only announced publicly if they have affected more than 500 individuals. Smaller data breaches still need to be reported to the HHS’ Office for Civil Rights to comply with HIPAA Rules, although the information is not made available to the public.

An analysis of the data collected from the Protenus platform suggests only one thousandth of data breaches are actually disclosed to the public, and inappropriate accessing of medical records by healthcare employees is a major problem throughout the industry.

Most commonly, healthcare employees snoop on the medical records of family members. 77.10% of all insider snooping incidents in Q1, 2018 involved the unauthorized accessing of family members’ health records. In second place was inappropriate accessing of co-workers’ health records, followed by snooping on neighbors’ health information and VIPs’ medical records.

The Protenus report shows just how important it is to detect these incidents promptly to prevent further privacy violations. Data analyses by Protenus show there is a 20% chance that a healthcare employee will inappropriately view medical records again within three months of the first incident, and a 54% chance that they will repeat the violation at least once in the following 12 months. “Healthcare organizations accumulate risk that compounds over time when proper detection, reporting, and education do not occur,” said Kira Caban, Protenus Director of Public Relations.

Unfortunately, most healthcare providers lack visibility into who is accessing medical records and privacy violations take many months to detected. The average time take to identify a breach of patient privacy is 244 days.

The Quarterly Breach Barometer report can be downloaded on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.