31 health data breaches disclosed in January as HHS fines for late reporting
2017 has kicked off with a huge proportion of insider threats, as January data from disclosed breaches reveals that 59.2% of breached patient records were the result of insiders. This month’s health data breaches reinforce the importance of health data security, as the need to protect patient data from insiders continues to loom large. Healthcare organizations, more than ever, need to be proactive in discovering and reporting when a breach has occurred. This is especially the case given that HHS OCR has issued its first fine for failing to report a breach within their 60-day window.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for January 2017
With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month. There were slightly fewer incidents disclosed in January than in December (36 incidents), and dramatically fewer affected patient records (1,431,449 vs. 388,307). Our analysis is based on incidents either reported to HHS or disclosed in media or other sources during January 2017. Information was available for 26 of those incidents. Thelargest single incident involved 220,000 patient records, a result of a third-party breach involving insider-wrongdoing.
Insider-Wrongdoing Responsible for 58.4% of Breached Patient Data
The majority (59.2%) of breached patient records — 230,044 records — were attributable to insider incidents. Five of nine insider incidents were the result of insider-wrongdoing. For the four insider-wrongdoing incidents for which we have numbers, 226,798 patient records were affected. Four other insider incidents were the result of insider-error, affecting 3,246 patient records.
Hacking Incidents Continue to Threaten Patient Privacy
Of the 12 hacking incidents disclosed in January, we have numbers for 10 of these incidents, affecting 145,636 patient records. One incident involved an extortion demand from TheDarkOverlord. When the entity did not pay the demand, the data was publicly leaked.
A second hacking incident disclosed this month was somewhat unusual. Although there was no reported ransomware or ransom demand involved, the entity reported that the attack interfered with patient care when the data was corrupted and clinics could not access the necessary data for marijuana records and prescriptions.
A third incident disclosed in January actually involved two sequential breaches: one insider-error incident that exposed patient data, and a second, external attack. Both events stemmed from a misconfiguration of a vendor’s database. The misconfiguration, which exposed patient data, was detected by researchers, but before the researchers could even contact the covered entity to alert them to secure the database, criminals also detected the exposure and hacked the database, wiping it out and leaving a ransom demand.
We should note that a few of the incidents categorized as ‘hacking’ involved employees falling for phishing attacks. These incidents were comprised of two elements: insider-error in responding to the phishing attacks and the external threat itself. In our report we categorized these as ‘hacking’, but such incidents reinforce the need for routine employee training, re-training, and proactive analytics solutions to immediately detect employee errors.
Types of Entities Reporting
Of the 31 reported incidents in January, there were 25 incidents involving healthcare providers (80.6% of all reported entities), followed by four incidents involving health plans, and two involving third parties. Please note that one of the providers is a non-profit that collected medical and health insurance information but didn’t provide diagnostic or treatment services as much as support services.
As we noted in our annual report, third-party breaches continue to account for a significant proportion of breached records. At least six incidents were the result of third parties, with numbers available for five of these incidents. Those five incidents accounted for 82% of the total patient records for January, affecting 316,766 patient records. It should be noted that there may be more as information was not available for every breach incident this month.
It is worth noting that five breach incidents in January involved paper/film records. Again, there may be more, but some reports were lacking detail that would have enabled that determination.
Length of Time to Discover and Report Breaches
Of the incidents reported in January for which we have data, it took an average of 174 days from the time a breach occurred to when it was reported to HHS. This is substantially longer than the average of 123.5 days it took healthcare organizations to discover a breach had even occurred. 40% of reporting entities for which we have numbers took longer than the 60-day window to report their breach to HHS. HHS has started enforcing this 60-day reporting requirement with heavy fines. A healthcare organization that was late in reporting their breach to HHS and to patients was fined $475,000. This fine can be a relatively small portion of the total cost of a breach for healthcare organizations, but is still significant, and poses additional risks to patients, as they cannot take steps to protect themselves until they are notified.
Breach Incidents By State
21 states are represented in the 31 health data breach incidents. California continuously remains the state publicly reporting the greatest number of health data breaches, however, it should be noted that this could be the case due to sheer reporting entity and patient volume. Maryland had the second highest total, with three separate health data breach incidents.
Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.