This month’s data regarding breaches of protected health information reinforces the need for health data security to be a top priority. With an average of almost 2 breaches per day, November has seen a record number of breach incidents, the highest of any month in 2016. What’s even more concerning is that employees (insiders) are responsible for more than half of this month’s breaches to patient data, a notable increase from past months.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for November 2016
While the past two months have shown a decline in total patient records breached and number of incidents reported when compared to the summer months, November has seen a sharp increase in the number of breach incidents, with 60% more breaches than in October. This month’s analysis shows 57 incidents either reported to HHS or first disclosed in media or other sources. Information was available for 49 of these incidents, totaling 458,639 records breached. It should be noted that it is not clear if one of the entities only reported themselves to HHS or if they also reported their affiliated clinic.
The largest single incident involved 170,000 patient records as a result of a business associate’s insider error.
2016 Number of records breached
2016 NUMBER OF RECORDS BREACHED
Hacking Pales in Comparison to Insider Breaches
54.4% of the total breaches (31 incidents) affecting patient data in November were a result of insiders. 17 of these incidents were a result of an error or accident, while 14 were a result of insider wrongdoing. In the 12 insider-error incidents for which we have numbers, 264,099 patient records were involved. In the nine incidents caused by insider-wrongdoing, 17,237 patient records were involved.
Nine breach incidents to patient data were a result of hacking, down from 14 hacking incidents in October. Three of November’s incidents specifically mentioned ransomware and another incident mentioned ransom/extortion but not ransomware. TheDarkOverLord struck again, as he was responsible for the ransom/extortion demand. In the six hacking incidents for which we have numbers, 102,883 patient records were involved.
TYPES OF INCIDENTS, novembER 2016 HEALTH DATA BREACHES
*ALSO INCLUDES RANSOMWARE AND MALWARE INCIDENTS; ^ INCLUDES INCIDENTS REPORTED IN HHS BREACH TOOL WHERE THERE WAS INSUFFICIENT INFORMATION TO CATEGORIZE THE INCIDENT
Types of Entities Reporting
Of the 57 reported incidents in November, 40 incidents involved healthcare providers (70.1% of reported entities), followed by 11 incidents involving health plans, and three incidents involving business associates. There were three other entities that reported a data breach: a financial services firm, an anti-doping agency, and one other business.
At least 25 of the 57 incidents (44%) involved business associates or third parties. It’s also important to note that 11 different BAs or vendors were involved in these 25 breach incidents. Three of these incidents have been previously identified in earlier Breach Barometer reports. Ambucor is responsible for 11 of the 25 third-party incidents in November, four incidents related to EMR4ALL/RBS, and one related to the Marin Medical Practice Concepts breach.
Although we only have numbers for 20 of the 25 third-party incidents, those 20 account for 55% of the breached records for November (252,619 patient records).
It is worth noting that paper records were involved in two incidents. There may be more, but some reports were lacking detail that would have enabled that determination.
Types of Entities Reporting, November 2016 Health Data Breaches
Length of Time to Discover and Report Breaches
Of the incidents reported in November for which we have data, it took an average of 135 days from the time the breach occurred to when HHS is notified. This is significantly longer than the average number days it took from breach to reporting for incidents in October. It’s important to note that HHS requires entities to report their breach within 60 days of discovery. 65% of reporting entities for which we have numbers took longer than the 60-day window to report their breach. It goes without saying that it is essential for organizations to be proactive when monitoring patient data. The sooner a breach is detected, the quicker the healthcare organization can mitigate the risk of significant damage being done with their patient’s data. The longer PHI is exposed, the more it can cost the healthcare organization and ultimately become troublesome for the patients.
DAYS BETWEEN BREACH AND DISCOVERY, November 2016 HEALTH DATA BREACHES
DAYS BETWEEN BREACH AND REPORTING TO HHS, november 2016 HEALTH DATA BREACHES
Breach Incidents By State
24 states are represented in the 57 total data breach incidents affecting healthcare. Delaware and California both had nine incidents, which is the most reports of any state in November. It should be noted that the numbers for California and Delaware are inflated because the analysis uses the state where the BA/vendor is located, not where the client is located. Business Associates in both of these states were also responsible for a number of incidents reported this month. There were two incidents in which a location was not indicated.
NUMBER OF HEALTH DATA BREACHES BY STATE, November 2016
Sign-up to be to receive our monthly Breach Barometer report and our Year in Review to get the latest info on data breaches affecting healthcare.