A Single Hacking Incident Responsible for 59% of Total Breached Patient Records in January
The health data breach landscape remained tumultuous in January, with almost an equal number of hacking and insider-related incidents. Of note, hacking incidents affected significantly more patient records, due largely to one particular breach that affected 59% of the total number of breached patient records this past month. Additionally, in a recent ruling, the HHS Office for Civil Rights (OCR) levied a $3.5 million fine to a healthcare provider after five separate breach incidents at various locations. OCR found that the organization had failed to conduct a risk analysis of possible threats and vulnerabilities to patient data as well as failed to implement policy and procedures to address security incidents and govern how electronic PHI should be moved in and out of the facilities. OCR and the healthcare organization have agreed to a corrective plan to overhaul the organization’s security measures and risk management plan. This ruling highlights, once again, the necessity for healthcare organizations to educate their employees on proper protocols for handling patient data and to gain full visibility into every access into their EHR in order to mitigate and even prevent these incidents from occurring.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Almost half a million records breached in January 2018
There were a total of 37 health data breaches in the month of January, continuing the ongoing trend of at least one health data breach per day. We have numbers for 26 of those incidents, which affected 473,807 patient records. A single incident involving a healthcare provider accounted for over half of the total number of affected records for January when an unauthorized third party gained access to Medicaid patient information. An investigation did not find any evidence that the information was removed from the servers, but the records of 279,865 patients were affected by the breach (59% of all breached patient records in January).
Hacking accounts for 83% of affected patient records
Following another trend that began in 2017, hacking and insider incidents were almost identical in terms of number of incidents discovered in January, with 12 insider and 11 hacking incidents. However, hacking incidents accounted for an astonishing 83% of affected patient records. The largest incident in January greatly contributed to the high number of patient records affected by hacking.
30% of the total number of incidents this month involved hacking. We have data for six of these incidents, affecting 393,766 records. Six of these eleven incidents specifically mentioned ransomware or malware, and two incidents specifically mentioned phishing. It’s important to note that we do not have numbers for five of the hacking incidents. For example, we do not have data on one ransomware attack that affected an electronic health record (EHR) company, leaving several of its applications offline for days as it struggled to recover from the breach.
Insiders responsible for only 1% of breached patient records
There were 12 incidents that involved insiders in January, which represents 32% of the total number of breaches. We have numbers for eight of these incidents, affecting 6,805 patient records. Examining the data closer, seven of these breaches were classified as insider-error. Information was available for five incidents, which affected 3,558 patient records. The other five incidents were classified as insider-wrongdoing, we have numbers for three of them, affecting 3,247 patient records.
One particular incident highlights the persistent danger of insider-wrongdoing and involved a nurse snooping on patient information over the course of 15 months. The nurse inappropriately accessed the records of 1,309 patients, obtaining information such as name, date of birth, gender, medical record number, diagnosis/reason for visit, and medications. In four cases, however, the perpetrator also accessed social security numbers, health insurance coverage details, and financial information. Regardless of what patient information was accessed, the fact remains that the potential for irreversible damage existed. Again, healthcare organizations need to be able to detect when their workforce is inappropriately accessing patient information so that incidents like this one are stopped before they turn into horrible situations for both the organizations and its patients.
Hacking and insider incidents continue to make up the majority of health data breaches, but there were also two incidents of patient records being lost or missing in January. Worryingly, these two incidents alone affected 10,590 records. This is almost double the number of patient records affected by insider incidents.
Also of concern were six incidents involving the physical theft of patient records. Data were available for four of these incidents, which affected 50,929 patient records. Finally, there were six additional incidents which we did not have enough information to classify; these incidents affected 11,717 patient records.
Six of the 37 reported incidents involved a business associate or third-party vendor. We have numbers for four of them, which affected 25,457 records. Two of these breaches were the result of a business associate being hacked, three were the result of insider-error, and the cause for the last one remains unknown. It should be noted that there could be more incidents involving third-parties, but there was not enough information to make that determination.
Types of entities disclosing
Of the 37 health data breaches reported in January, 31 incidents (84% of January incidents) involved healthcare providers, one (3% of incidents) involved a health plan, two (5%) involved business associates or third-party vendors, and three incidents involved either a business or health exchange (8% of total incidents).
Finally, 10 incidents involved paper or film records. We have data for eight of them, affecting 14,128 patient records. There may have been more incidents in which paper or film records were involved, but some reports were lacking sufficient details that would have enabled us to make that determination.
One incident took four years to be discovered
We have information regarding the detection of incidents for 11 of the health data breaches that occurred in January 2018. It took organizations an average of 252 days (median: 34 days) from when a healthcare organization was breached to when that organization discovered the breach had occurred. It’s important to note the small sample size precludes any comparisons to previous months.
One incident in January took 1445 days (almost 4 years) from the time the breach occurred to when it was discovered. A former employee stole the information of 1021 individuals, including full names, dates of birth, medical record numbers, diagnosis codes, and clinical notes. The healthcare organization was unaware it had even been breached until it found evidence while conducting an audit in January of this year.
Information was available for 18 of the health data breaches that occurred in January. Based on this data, it took healthcare organizations an average of 96 days (median: 59 days) from when they discovered the breach to when it was disclosed to HHS, the media, or the State’s Attorney General. While this average is a bit higher than the past few months, the median holds steady, with organizations mostly reporting to HHS within the 60-day window.
Breach incidents by state
22 states are represented in the 37 health data breaches this month. California had, by far, the most data breaches of any state with 7 incidents. But it is important to note that California often has more reported breaches, and this could be due to higher reporting entity and patient volume, and/or more robust reporting.
While insider-related incidents affected far fewer patient records in January than previous months, high numbers of incidents continue to rock the industry, ransomware remains a constant threat, and insider attacks can persist undetected for several years. These continuous threats to patient privacy and the recent ruling and fine levied by OCR show that healthcare organizations can no longer afford to be negligent when it comes to patient data security.
Breaches are long, costly affairs that greatly affect an organization’s bottom line and its brand reputation, and as recent trends have showed, it’s not a matter of if — but when — your organization will experience a breach. Healthcare organizations must take the necessary steps to switch from a reactive security posture to one that is proactive, auditing every access to the EHR and providing full visibility into how patient data is being used. This comprehensive review is a critical step in proactively detecting and preventing data breaches, preventing the devastation that can ensue for both the healthcare organizations and the patients that trust them with their most private information.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.