Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3.

In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches.

The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records.

In Q3, hacking was the leading cause of healthcare data breaches. 51% of the 117 breaches were due to hacking and those incidents accounted for 83% of all exposed records in the quarter. Hacking incidents and the number of records exposed through hacking both increased in Q3.

23% of data breaches in Q3 (27 breaches) were due to insider wrongdoing or insider error, resulting in the theft/exposure/disclosure of 680,117 health records – 15% of the records exposed in Q3. Insider wrongdoing includes theft of data by employee, snooping on medical records, and other incidents where insiders violated HIPAA Rules.

19 breaches were caused by insider error – mistakes made by healthcare employees that resulted in the exposure or impermissible disclosure of healthcare records. Insider errors resulted in the exposure/disclosure of 389,428 patient records. There were 8 incidents involving insider wrongdoing.

Protenus has drawn attention to the significant increase in records exposed/stolen through insider wrongdoing. In Q1, 4,597 patients were affected by insider wrongdoing, the number increased to 70,562 in Q2, and 290,689 patients were affected by insider wrongdoing incidents in Q3.

There were 22 breaches reported in Q3 that involved paper records (19% of the total). Those incidents saw 344,729 healthcare records exposed.

Healthcare providers disclosed 86 breaches in Q3, 13 health plans reported breaches, and a further 13 breaches were reported by business associates. 5 breaches were reported by other entities. 27 incidents – 23% of the total – had some business associate involvement.

On average, it took 402 days to discover data breaches. The median time to detect a breach was 51 days. One healthcare provider took 15 years to discover an employee had been accessing healthcare records without authorization. Over that time frame, the employee had viewed the records of 4,686 patients without any work reason for doing so. The average time to report breaches was 71 days and the median time was 57.5 days.

The states worst affected by healthcare data breaches in Q3 were Florida with 11 incidents, followed by California with 10, and Texas with 9 incidents.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.