Insider-Wrongdoing Incident Took 5+ Years to Discover

There has been another string of insider breaches first reported in September that have taken at least a year to discover, and in some cases several years lapsed before discovery. It’s paramount for healthcare organizations to become more proactive and efficient at detecting these insider breaches, as the organization’s reputation and patient livelihoods are at stake. Healthcare organizations must learn from one another and utilize necessary resources to better combat this problem that is continuously plaguing the industry.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Receive our Breach Barometer each month to stay on top of the breaches affecting healthcare.

Findings for September 2017

There has been a substantial increase in the number of breach incidents first disclosed this month to HHS or the media in September, with 46 incidents, compared to 33 in August. For the 42 incidents for which we had numbers, 499,144 patient records were affected. The largest single incident for which we had numbers involved 128,000 patient records in a hacking incident that involved ransomware. Details around this breach incident are unclear, as the organization is unsure if any data was actually exfiltrated. Reports did make it clear that this patient data was made inaccessible by the hacking.

2017 INCIDENTS INVOLVING PHI OR MEDICAL/HEALTH INFORMATION
2017 NUMBER OF BREACHED PATIENT RECORDS

Hacking Accounted for 50% of Incidents in September

In September, 23 hacking incidents were first reported, accounting for 80% of all breached patient records. We have numbers for 19 of these incidents, affecting 401,741 patient records. There was one report that specifically mentioned ransomware, seven reports that mentioned phishing, and eight reports mentioned extortion attempts as part of the health data breach. The blackhat hackers known as TheDarkOverLord (TDO), whose hacks in the healthcare sector have been previously noted in our monthly reports, claimed responsibility for all eight of these extortion incidents. The extent of their impact on the number of records for September is currently unknown as we do not yet have numbers for three of their eight incidents, but DataBreaches.net notes that extortion is on the increase across all sectors, and that the healthcare sector and education sector are prime targets for extortionists due to the sensitivity of the data and the lack of security when compared to other sectors.

Insider-wrongdoing Affects Almost Three Times As Many Patient Records as Insider-error

Insiders were responsible for 32.6% of September’s breach incidents (15 incidents). There were numbers available for all insider incidents, affecting 73,926 patient records. Six of the reported insider incidents were the result of insider-error, affecting 24,958 patient records. Eight of the reported incidents were the result of insider-wrongdoing, affecting 47,887 patient records. One insider-wrongdoing incident actually involved multiple hospital employees when they found out a patient was brought into the ER with a genital injury involving a foreign object. “A ton” of hospital employees gathered in the patient’s OR room and took pictures of the injury with their cellphones. These pictures began to circulate around the hospital staff prompting a vigilant employee to bring the incident to hospital administrators.

There were four incidents of physical theft of patient records, which affected 17,295 patient records. Six incidents were the result of third-parties or business associates (BA), affecting 16,078 patient records; there may be more incidents, but not enough information was provided to make a determination since the HHS breach tool has a tendency to underreport these types of incidents.

TYPES OF INCIDENTS, SEPTEMBER 2017 HEALTH DATA BREACHES ^INCLUDES INCIDENTS REPORTED TO HHS WHERE THERE WAS INSUFFICIENT INFORMATION TO CATEGORIZE THE INCIDENT

Types of Entities

Of the 46 health data breach incidents in September, 31 of those (67.4%) involved healthcare providers, six incidents (13%) involved health plans, six incidents involved a business associate or third-party, and three incidents involved schools. One of the school related incidents involved the principal downloading sensitive student information, including psychological evaluations from their electronic record system, affecting 5,912 student records. Upon discovery, the principal was terminated, there is also a pending lawsuit.

It should be noted that there could be more incidents involving third-parties but there was not enough information for a number of incidents to make that determination.

TYPES OF ENTITIES REPORTING, SEPTEMBER 2017 HEALTH DATA BREACHES

Four health data breach incidents involved paper or film patient records, affecting 16,078 patient records. One incident involving paper records is also an example of malicious insider-wrongdoing. A hospital employee stole a laptop and paper records, and then used that patient information to open credit cards in the patients’ names. Unfortunately, this is an all too common example of the malicious activity that can occur when bad actors within a healthcare organization have access to patient information. This serves as a reminder for healthcare that it takes more than training and education to truly thwart insider-wrongdoing within an organization. There are advanced analytics used within the nation’s leading hospitals that detect abnormal behavior within the EHR, promptly identifying potentially serious breaches to patient privacy, mitigating the overall risk to the organization and more importantly, its patients.

It’s important to note that there may have been more incidents in which paper or film records were involved, but again, some reports were lacking detail that would have enabled that determination.

Several Breaches Go Undiscovered for More Than a Year

Of the reported incidents for which we have numbers, it took an average of 387 days (median = 38 days) for healthcare organizations to discover a breach had occurred. It’s important to note that the mean and median are drastically different given the extreme range of the data. Some entities discovered a breach immediately, while one incident went undiscovered for almost six years, a result of insider-wrongdoing affecting 1,969 patient records. As mentioned in previous Breach Barometer reports, the longevity of this type of breach reinforces the need to have technology in place that can proactively detect a health data breach.

It also took an average of 66 days (median = 59 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or to state attorneys general. It’s promising to see that healthcare organizations are routinely reporting health data breaches within the mandated 60-day window. Hopefully breach detection will continue to improve through the use of the advanced technologies being implemented across North America’s healthcare organizations.

DAYS BETWEEN BREACH AND DISCOVERY, SEPTEMBER 2017 HEALTH DATA BREACHES
DAYS BETWEEN DISCOVERY AND DISCLOSURE, SEPTEMBER 2017 HEALTH DATA BREACHES

Breach Incidents By State

26 states are represented in the 46 health data breach incidents. California had five incidents, which is the most reports of any state in September. Texas followed closely with the second highest total of four separate health data breach incidents. It should be noted that California and Texas routinely have a relatively high number of breach incidents, but this could be due to higher reporting entity and patient volume, and/or more robust reporting.

NUMBER OF HEALTH DATA BREACHES BY STATE, SEPTEMBER 2017

Conclusion

The longevity of the insider breaches reported in this month’s report continue to reinforce the need for healthcare to proactively detect health data breaches. The healthcare industry consistently presents and introduces ways healthcare organizations can better combat the challenges in discovering a health data breach. Since the inception of the Breach Barometer, the report has consistently found the same reoccurring trends with the number of breach incidents each month and that insider threats to patient data remain unnoticed. It’s time for the healthcare industry to make patient privacy a priority. We are hopeful that as future data is analyzed, there will be a significant improvement in health data security, specifically in health data breach detection and resolution.

If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.

Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.