84K Patient Records Breached as Patients Remain Hesitant to Disclose Sensitive Medical Information
Insider threats continued to plague the healthcare industry in November. The HHS Office for Civil Rights (OCR) re-emphasized the need for healthcare organizations to implement effective identity and access management (IAM) policies in order to ensure that former employees have their physical and electronic access to PHI terminated. Effective policies help prevent malicious or vengeful former employees from accessing patient information — access that can be difficult to detect if security measures and advanced data analytics are not in place. Effective policies also include ensuring that any devices that may contain PHI are promptly returned and any personal devices are cleared or purged of PHI. OCR’s reminder seems especially timely given that the number of insider breaches to patient data outweighed the number of hacking incidents for the month of November.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for November 2017
Since the beginning of 2017, there has been a consistent trend of at least one healthcare data breach per day; however, November saw this average dip ever so slightly with a total of 28 incidents. Information was available for 25 of those incidents, which affected a total of 83,925 patient records. This may be a positive sign for the healthcare community because the number of both data breach incidents and affected patient records are lower than any other month thus far in 2017, but it may also just indicate that people wanted to get ready for Thanksgiving so they delayed reporting. That said, the number of affected records disclosed during November was significantly lower than the rest of the year. To compare, in the month of October, 246,246 records were affected by a data breach; in September, 499,144 were affected, and in August, 673,934 were affected. Protenus and DataBreaches.net will continue to monitor the data to see if this the start of a trend or merely an outlier.
The single largest incident in November for which we have data involved a sleep and pulmonary center in New Jersey who reported that 16,474 patient records were locked up by a ransomware attack. The organization did not pay the ransom and simply restored the files using an offline backup. This incident is an excellent example as to why it is so important for healthcare entities to maintain up-to-date offline backups; the organization was able to quickly resume normal operations even after they had been hacked without paying the ransom.
Insider Incidents Outweigh Hacking in November
Since July 2017, hacking incidents have consistently outnumbered insider incidents, but the month of November reverses this trend. Nevertheless, a significant percentage of affected records (44%) were due to hacking incidents, and this number would have been even higher, but some data was unavailable for some of the incidents this month (there were three hacking reports for which we did not have information on the number affected).
There were eight incidents that involved hacking in November, and we have numbers for five of them. These five breaches affected 36,804 patient records. In other words, although hacking incidents accounted for only 29% of the total number of breaches, they involved 44% of all patient records affected in November. Four of the hacking incidents specifically mentioned that ransomware was involved, and three incidents specifically mentioned phishing. Of note, there was no mention of extortion in any of the reported incidents (excluding the ransomware ransom demands).
There were nine incidents that involved insiders during the month of November, accounting for 32% of the total number of data breaches. We have data for all nine incidents, affecting 36,447 patient records. This number represents 43% of all patient records affected in November. Seven of these insider incidents involved insider-error, affecting 27,228 records, and two of them involved insider-wrongdoing, affecting 9,219 records.
While insider and hacking breaches accounted for the majority of disclosed incidents, five incidents involved physical theft of patient records, affecting 3,273 records, and two incidents involved lost or missing records, affecting 2,051 records. Loss and theft of patient records accounted for 25% of all November health data breaches. Finally, we did not have enough information on four incidents to classify them, and these incidents accounted for 5,350 patient records.
Three incidents disclosed in November involved business associates or third parties. It should be noted that there could be more incidents involving third-parties but there was not enough information to make that determination. Of note, two of these reports involved one entity, a firm that enables people to apply for health insurance rate quotes online. The firm suffered a data leak from a misconfigured database that exposed information online to those who knew how or where to look for it. Confusingly, one health insurer reported the firm’s data exposure to HHS, even though there was no breach by the health insurer. The firm was not a vendor or business associate of the health insurer, and the health insurer had no role at all in collecting information from people who input information to the firm’s website. In light of all that, it appears that the health insurer reported an incident that was not their breach at all. Why they would do that is unclear, but they also offered those who received quotes on their insurance two years of free identity theft protection.
Types of Entities Disclosing
Of the 28 reported health data breach incidents for November, 23 of them (82.1%) involved healthcare providers, three (10.7%) involved health plans, one (3.6%) involved a business associate, and one (3.6%) involved a business which was included in the “other” category of our analysis. The affected business was a law firm that suffered a ransomware attack which affected 16 records. The law firm had access to certain patients’ medical information because it primarily represents defendants in cases involving asbestos, workers’ compensation, and other types of personal injury. The firm notified law enforcement of the breach and began constructing a new computer system to prevent attacks from occurring in the future.
It is also worth noting that there were seven health data breaches that involved paper or film patient records, affecting 8,859 patients. There may have been more incidents in which paper or film records were involved, but some reports were lacking the details that would have enabled us to make that determination.
Improvement in Discovering and Reporting Health Data Breaches
For the health data breaches that occurred in November, we have data for only four of those incidents. On average, it took healthcare organizations 55 days (median= 33 days) to discover that their healthcare organization had been hit with a breach incident.
The longest incident of the month took 153 days from the time the breach occurred to when it was discovered. While these numbers are lower than what has been reported in previous months, the small sample size precludes any comparisons to previous months.
It also took an average of 61 days (median=57 days) for entities to disclose that they had been breached either to HHS, the media, or the State’s Attorney General. This is promising as entities continue to shorten the time it takes from breach discovery to taking the necessary step of disclosing the incident within the 60-day window that HHS mandates.
Breach Incidents By State
20 states are represented in the 28 health data breaches. Kentucky had the most incidents of any state with three. Massachusetts, Texas, Colorado, Indiana, Florida, and California were all tied for second with two separate incidents in each state. It should be noted that California and Texas routinely have a relatively high number of breach incidents, but this could be due to higher reporting entity, patient volume, or more robust reporting.
With both internal and external actors continuing to threaten patient data, the American Medical Association recently reported that 8 out of 10 physicians have experienced a cyber attack while in practice. As these unnerving findings are reported while the healthcare industry still struggles to protect their patients’ privacy, it is more important than ever for organizations to implement proper security measures to protect their data. OCR reemphasized this need, especially when it comes to insider threats, and offered concrete steps organizations can take to be proactive when it comes to patient privacy. Moreover, a study published in November by the Journal of Medical Internet Research found that privacy concerns are the primary influence on whether patients consent to sharing their health information electronically. In other words, patients will remain hesitant to fully share their information until they are confident that healthcare organizations are deploying the necessary steps to protect their sensitive medical information.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.