Olympians Fall Victim as 2016 Continues Breakneck Health Data Breach Pace

September’s largest single incident involved a ransomware that affected 58,000 records. While the overall number of breached records is down, the second half of 2016 is shaping up to be significantly worse than the first half when it comes to patient data security. September’s breach totals include several olympic athletes after the World Anti-Doping Agency (WADA) suffered from a hacking incident apparently at the hands of Russian cyber-espionage group, Tsar Team (APT28), also known as Fancy Bear. While this month’s patient records breached total (246,876) pales in comparison to this past summer’s total (20 million), it’s important to re-emphasize the ever-evolving threats to patient data and the misfortune that can occur when this information lands in the wrong hands.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Sign-up to be one of the first to receive our Breach Barometer each month.

Findings for September 2016

There is an alarming trend of more breach incidents per month in the second half of 2016 than in the first half, with this month’s analysis showing 37 incidents either reported to HHS or first disclosed in media or other sources.  The number of patients affected was available for 32 of these incidents, totaling 246,876 records breached.   

While the first six months of 2016 averaged 25.3 breaches per month, the second half has thus far has had an average of 39.3 incidents per month, an over-55% increase. While the number of months in this total is small, this trend over the last quarter provides some cause for alarm.  

2016 Incidents Involving PHI or Medical Health Information

2016 Number of Records Breached

50,000 Patient Records Breached by Insiders

Forty-one percent (15 incidents) of breaches in September were insider employee snooping in the EHR incidents, seven of which were accidental while the majority (8 incidents) were insider wrongdoing.  For the 13 insider incidents for which we have numbers, 50,695 records were involved.

Thirty-two percent (12 incidents) of breaches involved hacking, including and other malware.  Five of these specifically mentioned ransomware (some others may have also involved ransomware, but we don’t have details for every incident). For the 10 hacking incidents for which we have numbers, 154,814 records were involved.  While insider threats represented a greater proportion of incidents than hacking, it's important to note that hacking accounted for substantially more of the breached records than insider events, as also mentioned in the August Breach Barometer.

Types of Incidents, September 2016 Health Data Breaches

*Also includes ransomware and malware incidents
^ Includes incidents reported in HHS breach tool where there was insufficient information to categorize the incident

Types of Entities Reporting

Thirty-three incidents involved healthcare providers (91.7 percent of reported entities), followed by two incidents that were reported by health plans, and one incident reported by a Business Associate (BA) or vendor. There may be more BA or vendor related breaches since it is not always clear from initial reports the type of entity reported.

It is worth noting that paper records were involved in 19 percent of incidents, with several incidents resulting from insider wrongdoing and/or theft.

Types of Entities Reporting, September 2016 Health Data Breaches

Length of Time to Discover and Report Breaches

As we reported over the last few months, there are some breach incidents that are not publically disclosed for several years. Examining incidents for which we know the date of the breach, date of discovery, and date the breach was reported, it’s clear that some healthcare organizations are doing better than others when it comes to proactively managing their patient data. Of the incidents reported in September, for which we have data, it took an average of 151 days from the time the breach has occurred to when HHS is notified, which is considerably less than the 558 average number days it took from breach to reporting for August breaches. One organization took almost two years to discover a breach had even occurred. These alarming time lapses from breach to discovery stress the importance for organizations to be proactive in monitoring their patient data for outliers in accesses to their patient’s sensitive medical data.

Number of days between breach and discover, september 2016

Number of days between breach and reporting, september 2016

Breach Incidents By State

21 states are included in the 37 total incidents which is strikingly similar to last month’s report showing 20 states affected with a total of 42 incidents. California had 11 incidents in September, which is the most reports of any state for a second month in a row. The WADA breach was not isolated to one state, accounting for numerous patients across multiple states.

Number of health data breaches by state, september 2016

Sign-up to be to receive our monthly Breach Barometer to get the latest info on health data breaches.