The Breach Barometer Report by Protenus for 2019 has been published, analyzing healthcare data breaches in 2018. The report exposed a major increase in healthcare data breaches last year. Protenus used information gathered from Databreaches.net to conduct their investigation. The site tracks all data breaches reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) as well as breaches reported in the media.
Although the increase of annual healthcare breaches was minimal, at 503 breaches as compared to 477 in 2017, the number of exposed records tripled. In 2017, the amount of healthcare records exposed was 5,579,438, whereas 2018 had 15,085,302 compromised records. Additionally, in 2017, the majority of records compromised were toward the beginning of the year with a decrease in breaches each quarter. In 2018, exposed healthcare records grew exponentially with each quarter at 1,175,804 in Q1 to 6,281,470 in Q4.
In the largest breach of 2018, in just one week, 2.65 million health records were accessed in North Carolina by hackers. Overall, the occurrence of healthcare hacking incidents have experienced an upward trend since 2016, which contributed to 44.22% of tracked data breaches in 2018. However, of the 222 hacking incidents in 2018, data for just 180 breaches was available. The available data showed that the most common types of attacks included ransomware/malware attacks and phishing incidents.
Some breaches were due to insiders, at 28.09% of total breaches. Of those breaches, 14.34% were due to loss/theft and 13.35% are for unknown reasons. In this instance, breaches decreased as compared to 2017, with 37% of total breaches due to insiders’ human error. Even so, in 2018 more records were exposed in the 139 incidents (2,056,138 records) than in the 176 incidents (785,281 records) the previous year.
This is why it is essential to have the correct tools in place to detect insider breaches in a timely manner. Previously, there was an incident with a healthcare provider’s employee, that was caught looking at patient records without permission, that took 15 years to detect.
Insider breaches are not solely employee related, many are due to patient family members accessing private health information without permission. Insider breaches by family members comprised of 67.38% of total breaches in 2018. Co-workers accessing each other’s private information was responsible for 15.81% of insider incidents. According to Protenus, it is common for the people responsible for insider breaches to repeatedly access private information without consent, with 51% of insider breaches involving such individuals.
On average, breaches of all kinds took 255 days to be detected and 73 days to be reported after discovery. The most affected group was healthcare providers, accounting for 70% of breaches and 353 incidents. Of the 353 incidents, 62 incidents were reported by health plans, 49 by business associates of HIPAA, and 39 by other entities. In addition, 102 incidents were related in some way to business associates.
In conclusion, Protenus has predicted at least 1 breach a day to occur in 2019. The risk of breaches continues to grow and should be of concern to anyone in the healthcare industry.