Nearly 20M patients affected this summer after huge month of PHI breaches

The number of breached records reported in August totals an unsettling 8,804,608. While this total does not exceed the staggering 11 million records we reported in June, it once again demonstrates that PHI breaches continue to be a huge problem for a wide array of institutions. Even more troubling, one breach reported this month began in 2008, taking more than eight years to be publicly reported.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided byDataBreaches.net.

Sign-up to be one of the first to receive our Breach Barometer each month.

Findings for August 2016

We would be remiss if we did not open the Breach Barometer with two important August developments pertaining to the HHS Office of Civil Rights, the entity responsible for enforcing HIPAA’s Privacy Rule.

First, in what is the largest settlement to date, Advocate Health Care Network has agreed to pay $5.55 million to settle HHS charges stemming from multiple health data breaches. Following on the heels of a $2.7 million settlement with OHSU and a $2.75 million settlement with the University of Mississippi in July, it’s clear to see that OCR has kicked into high gear with a summer of settlements that exceed $10 million in total.

Second, OCR announced an initiative to increase its investigation of smaller health data breaches, affecting fewer than 500 individuals, to “identify and obtain corrective action to address entity and systematic noncompliance related to these breaches.” The Protenus team applauds this new initiative — as it has been seen time and time again, these smaller breaches can have devastating long-term effects for patients and providers alike, and understanding them in greater detail is critical to understanding our nation’s healthcare breach landscape.

Now, onto the breach reporting you know and love. Our August Breach Barometer analysis is based on 44 reports stemming from 42 separate incidents either reported to HHS or first disclosed in the media or other sources. The number of patients affected was available for 32 of these reports, totaling 8,804,608 records breached.

2016 number of records breached
2016 incidents involving PHI or medical/health information

Insider Threats Continue to Loom Large

Forty-three percent (18 incidents) of breaches in August were insider incidents, including both accidental and intentional wrongdoing.

Twenty-nine percent (11 incidents) of breaches involved hacking, malware, or ransomware. It’s important to note that even though this category accounted for fewer incidents than insider events, the seven incidents in this category for which we have numbers accounted for ninety-one percent of records breached for this month. The largest breach in August, involving 3,620,000 records, was due to hacking. Unlike June, when the vast majority of breached health records were due to hacks by one actor calling himself TheDarkOverlord, the hacking incidents reported in August did not appear to be linked to a single source.

Business Associate Breaches Pose Major Threat

Business associates (BA) or vendors were involved in at least 19 percent of breaches (8 incidents), but accounted for a disproportionate percentage of breached records. The five BA incidents for which we have data accounted for 47 percent of all breached records for the month. Incidents involving business associates included insider errors that resulted in exposure of PHI, as well as ransomware attacks and other hacks.

Types of incidents, August 2016 health data breaches. *Also includes ransomware and malware incidents; ^ Includes incidents reported in HHS breach tool where there was insufficient information to categorize the incident

Types of Entities Reporting

Thirty-seven incidents involved healthcare providers (86 percent of reported entities), followed by two incidents that were reported by health plans, and two incidents reported by a business associate or vendor. The remaining incidents involved a breach by a public school and a breach involving a telehealth platform both of which were reported by the media but not the provider.

Types of entities reporting, August 2016 health data breaches

Length of Time to Discover and Report a Breach

As we first noted in the July Breach Barometer, some incidents are not publicly disclosed for several years — in one July incident, six years passed before the breach was reported. For incidents for which we know the date of the breach, date of discovery, and date the breach was reported, it’s clear that some healthcare organizations are doing a great job of managing their patient data and acting promptly once a breach occurs. There were a number of incidents in which date of breach to date of discovery was less then 20 days.

Number of days between breach and discovery, August 2016

While we don’t know how fast each breach was remediated once discovered, it can be hypothesized that the shorter the time interval, the quicker the response each entity was post breach. Entities may not have discovered on their own, but may also have been alerted to them by outside sources like the media. There were some incidents in which the date between the breach and it being reported was less than 14 days.

Number of days between breach and reporting, August 2016

Breach Incidents By State

Twenty states are included in the 42 total incidents, which is the highest number of monthly incidents so far this year. This year has seen a steady increase, with a few exceptions, of total number of incidents reported. California had six incidents this month, which is the most reports of any state.

Number of health data breaches by state, August 2016