The most recent installment of the Protenus Healthcare Breach Barometer report has been published. Protenus reports that overall, at least 473,807 patient records were breached or stolen in January, although the number of people impacted by 11 of the 37 breaches is not yet certain. The actual total is likely to be considerably more, possibly taking the final total to more than half a million records.
The report shows insiders are still posing issues for healthcare organizations. Insiders were the single biggest cause of healthcare data breaches that occurred in January. Out of the 37 healthcare data breaches reported in January 12 were attributed to insiders – 32% of all data breaches.
While insiders were the main cause of data breaches, the incidents impacted a relatively low number of individuals – just 1% of all records breached. Insiders exposed 6,805 patient records, although figures could only be calculated for 8 of the 12 breaches. 7 incidents were attributed to insider mistake and five were due to insider wrongdoing.
Protenus has revealed that, in one particular insider breach, a nurse was discovered to have accessed the health information of 1,309 patients without permission for a period of 15 months. If the healthcare organization had technology in place to review for inappropriate access, the privacy of hundreds of patients would not have been breached.
The second biggest cause of healthcare data breaches in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare groups in January – 30% of all breaches. In contrast to insider incidents, these were not small violations. They made up for 83% of all breached records in January. One single hacking incident included 279,865 records. That’s 59% of all breached records in that month.
Overall, 393,766 healthcare records were exposed by hacks and other IT attacks. The final figure could be much higher as figures for five of those breaches have not been obtained. One of the incidents involving an unknown number of records was the ransomware attack on the EHR company Allscripts, which lead to some of its applications being unavailable for many days. That incident could well be the largest breach of the month.
Ransomware attacks are still a major issue in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing attacks – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was witnessed in at least two breaches.
The loss or theft of electronic devices holding ePHI or physical records accounted for 22% of the breaches. Two incidents included the loss of patient records impacted 10,590 individuals and four out of the six theft incidents affected 50,929 people. The number of individuals impacted by the other two theft incidents is unknown. The cause of 16% of January’s data breaches has not yet been made public.
The range of breached entities followed a similar pattern to previous months, with healthcare suppliers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% attacked health plans. 8% affected other entities.
Data on the length of time it took to detect breaches was only available for 11 of the 37 incidents. The average time from the incident to detection was 34 days and the average was 252 days. The average was increased by one incident that took 1445 days to discover.