Hacking incidents down, while some insider health data breaches took 5+ years to discover

After a noticeable decline in the number of hacking incidents, insider-related breach incidents have doubled relative to the previous month. February’s health data breaches reinforce the importance of understanding inappropriate workforce activity, especially when the majority of incidents come from within a healthcare organization. For instance, a Nebraska hospital recently discovered a breach that had been going for more than five years and was the result of ongoing insider-wrongdoing. It’s important for healthcare organizations to use advanced analytics to immediately detect breaches of this magnitude in real-time, greatly reducing the impact for patients and organizations alike.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Receive our Breach Barometer each month to stay on top of the breaches affecting healthcare.

Findings for February 2017

The beginning of 2017 seems to be holding steady in the realm of privacy violations, as both January and February had 31 breach incidents. While the number of incidents remained the same, February experienced a 47% drop in the number of affected patient records (206,151 vs. 388,207). Our analysis is based on incidents either reported to HHS or disclosed in media or other sources during February 2017. Information was available for 26 of those incidents. The largest single incidentinvolved 100,000 patient records, and was the result of insider-error.

Insider Threats to Patient Data Remain Steady

In previous months, healthcare saw hacking incidents that affected considerable amounts of patient data, usually totalling a bit more than a quarter of total incidents. In February, however, hacking resulted in only 12% (four incidents) of total breach incidents. For hacking incidents for which we have numbers, these four incidents affected 44,144 patient records.

Insiders were responsible for 58% (18 incidents) of February’s total breach incidents. Eight of the eighteen insider incidents were the result of insider-wrongdoing, affecting 12,020 patient records. Nine of the incidents were the result of insider-error, affecting 133,418 patient records. One insider incident, involving 724 records,could not be classified due to lack of provided information.

Types of incidents, February 2017 health data breaches. *Includes incidents reported to HHS where there was insufficient information to categorize the incident
Types of incidents by patient record volume, February 2017 health data breaches

Types of Entities Reporting

Of the 31 reported incidents in February, there were 24 incidents reported by healthcare providers (77% of all reported entities), four incidents reported by health plans, two reported by third parties, and one incident reported by a business not covered by HIPAA.

While third-party breaches constituted 82% of total patient records breached in January, there was a significant drop in February, affecting only 21% of patient records. Third-parties were responsible for seven breach incidents, with numbers available for six of these incidents, affecting 44,191 patient records.

It is worth noting that nearly one-third of February breach incidents (10 incidents) involved paper/film records. There were numbers available for nine of these incidents, affecting 12,689 patients records. Please note that there may be more, but some reports were lacking detail that would have enabled that determination.

Types of entities reporting, February 2017 health data breaches

Length of Time to Discover and Report Breaches

As we have reported in the past, some breach incidents are not publically disclosed for months, or in some cases, several years. Examining incidents for which we know the date of the breach, date of discovery, and date the breach was reported, it’s clear that some healthcare organizations are doing better than others when it comes to proactively managing their patient data.

Of the incidents reported in February for which we have data, it took an average of 478 days from the time the breach occurred to when HHS was notified, which is a dramatic increase from the 174 average number of days that elapsed from breach to reporting for January breaches. There were two instances in February in which it took organizations over five years (1,952 and 2,103 days, respectively) to discover that a health data breach had even occurred. The first incident should remind organizations that protocols need to be in place to ensure glitches with technology are caught and corrected in order to avoid vulnerabilities persisting for years before discovery. The second incident stresses the importance of organizations proactively monitoring their patient data for inappropriate accesses to their sensitive medical information. The sooner a healthcare organization can detect when there has been inappropriate access to patient data, the sooner they can mitigate the risk of significant damage and greatly reduce the associated cost the organization will suffer in brand, reputation, lawsuits, fines, etc.

Days between breach and discovery, February 2017 health data breaches
Days between breach and reporting to HHS, February 2017 health data breaches

Breach Incidents By State

18 states are included in the 31 health data breach incidents. Texas had 4 incidents, which is the most reports of any state in February. New York, California, and Arizona followed closely with the second highest total, three separate health data breach incidents in each state. It should be noted that New York and California seem to always have a high number of breach incidents, but this could be the case due to reporting entity and patient volume.

Number of health data breaches by state, February 2017

Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.