February 18, 2020

2020 Breach Barometer: 41M Patient Records Breached as Hacking Incidents Escalate

Kira Caban

With the continuing increase in breaches of patient data since 2016, as detailed in the just-released 2020 Breach Barometer®, the healthcare industry must continue to implement best practices to better protect patient data and ultimately prevent health data breaches from occurring. 

The Number of Breached Patient Records Nearly Tripled from 2018 

This increase reflects the continued vulnerability of patient data to a range of threats, from external incidents like hacking to insider-related incidents where healthcare insiders either maliciously or by error compromise sensitive patient information. Breaches can be hard to uncover. In 2019, healthcare organizations took an average of 224 days to discover an incident. Although HIPAA requirements stipulate that breaches be reported within 60 days, it took healthcare organizations an average of 80 days to report the incidents in 2019.

Screen Shot 2020-02-14 at 3.08.41 PM

Number of breached patient records, 2016-2019 Health Data Breaches

The Problems with Health Data Breaches

Health data breaches create a host of problems for patients and health systems. For patients, aside from the financial burden that can occur from trying to mitigate the effect on their lives, privacy and safety are compromised, and trust in the organizations where they seek care can be broken. For hospitals and health systems, regulatory penalties and financial costs accrue, along with the loss of patient trust, and bad publicity. 

Breaches are not rare or unusual. Health systems across the country experienced health data breaches in 2019; some states experienced higher volumes than others, possibly due to the location of their business associates and third-party vendors. The graph below shows the relative number of breaches in each state, with the greatest numbers occurring in Texas and California.

Screen Shot 2020-02-14 at 11.39.31 AM

Number of incidents by state, 2019 health data breaches

Insider Breaches Decline but Still a Problem  

A notable improvement is the decrease in the actual number of insider breaches, which dropped from 192 in 2016 to 110 in 2019. This decrease could reflect the adoption of healthcare compliance analytics in health systems nationwide as well as an increased focus on employee education on how to better protect patient privacy. Despite the decreased number of insider breaches, the number of patient records affected increased by 1.1 million between 2018 and 2019.

Screen Shot 2020-02-14 at 11.41.18 AM

Total insider-related Incidents, 2016-2019 Health Data Breaches

In some cases, data breaches from hospital insiders occur not from ill will or mal-intent, but because of carelessness or human error. In others, however, inside actors seek to cause harm. Although the actual number of insider-related breaches declined, the damage these breaches caused was still extensive. In 2019, Insiders breached 3.8 million patient records, up from 2 million in 2016. The very nature of these breaches can make them hard to detect due to their legitimate access to the EHR. It’s also important to note, some insiders are malicious. Over the course of more than two years, one Maryland nurse exposed data on more than 16,000 patients to a third-party. 

What’s in It for Cyber Criminals?

For the criminals who hack, sell, or buy these records, the financial rewards may no longer be as high as in the past (recent estimates put the value of a patient health record at about $50), but the data is “evergreen”--it persists and is resold. Unlike what happens when a credit card number is stolen, for instance, healthcare data cannot simply be shut down, frozen, or changed. Reclaiming that data and preventing it from being reused or altered by others with malicious intent (a scenario that has played out for some patients) is frightening and can be quite challenging. 

credit card medical record

Differences between stolen credit card and medical record data

Ransomware Problems on the Rise 

In 2019, one-third of reported hacking incidents involved ransomware. Ransomware is a form of software that prevents individuals or organizations from accessing their data; as the name suggests, victims must pay a ransom to “release” their data. The hackers behind ransomware threaten health systems financially, through extortion, and, most recently, by threatening patients with public exposure of their personal health information (PHI).

Screen Shot 2020-02-14 at 11.44.31 AM

Total hacking Incidents, 2019 Health Data Breaches

Healthcare leaders know and understand the importance of protecting patient health records and data, a task that, until the use of healthcare compliance analytics, was done manually with random audits. 

With our healthcare compliance analytics platform, our customers are able to review every access of patient records and determine whether or not patient privacy has been violated. In partnership with our customers, we can automatically enforce privacy at scale, but in ways that are tailored to the specific needs of each hospital or healthcare system. We know that for the hackers, the game is always afoot. With Protenus, we aim to be leaps and bounds ahead. 

The 2020 Breach Barometer® is available for download. It was written by Protenus, with data provided by Databreaches.net.

Download the full report