August 16, 2017

Hacking Dominates Breaches, But One Insider Breach Took 14 years to Discover

Kira Caban

July is the first month in 2017 to have hacking incidents outweigh insider breaches to patient data in both frequency and number of affected patient records.  While hacking accounted for almost half of total breach incidents this month, the severity and potential damage of insider threats to patient data should not be overlooked, with one incident going undetected for 14 years.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Receive our Breach Barometer each month to stay on top of the breaches affecting healthcare.

Findings for July 2017

There were 36 breach incidents first disclosed this month to HHS, the media, or a State’s Attorney General. For the 29 incidents for which we had numbers, 575,142 patient records were affected.  The largest single incident for which we had numbers involved 300,000 patient records in a ransomware incident. Other incidents may have involved even larger numbers of patient records, but we did not have definite numbers to use in our analyses.

Number of incidents - July BB.jpg

2017 INCIDENTs INVOLVING PHI OR MEDICAL/HEALTH INFORMATION

Number of patient records breached.jpg

2017 number of breached patient records

 Hacking Incidents Outweigh Insiders

In an unusual turn of events, hacking outweighed insider incidents in both frequency and the number of patient records affected this month.  In July, there were 17 hacking incidents, affecting 516,053 patient records, almost 21 times more patient records than breached by insiders.  There were 10 hacking incidents in which ransomware was specifically mentioned as the cause of the health data breach.  It should be noted that there may be other incidents that are the result of ransomware but reports were unclear.  There were five incidents that involved phishing and one incident that involved an extortion demand.  There were three other incidents classified as “hacking/IT”, but these were included in our report as ‘unknown” because they could not be confirmed, affecting 18,063 patient records.

Insiders were responsible for 22.2% of May’s total breach incidents (8 incidents).  We have numbers for 7 insider incidents, affecting 24,212 patient records.  Three of the reported insider incidents were the result of insider-error.  We have numbers for two of these incidents, which affected 2,982 patient records.  Five of the reported insider incidents were the result of insider-wrongdoing, affecting 21,230 patient records.

It’s important to note that there were three reported incidents of physical theft of patient records, and we have numbers for two of those incidents, affecting 5,643 patient records.  Six incidents were the result of a third-party or business associate (BA) -  there may be more incidents, but not enough information was provided to make a determination since the HHS breach tool has a tendency to underreport incidents involving BA’s.  We have information on five of these incidents, affecting 28,983 patient records.

Type of incidents.jpg

TYPES OF INCIDENTS, JULY 2017 HEALTH DATA BREACHES        
^INCLUDES INCIDENTS REPORTED TO HHS WHERE THERE WAS INSUFFICIENT INFORMATION TO CATEGORIZE THE INCIDENT

 Types of Entities Disclosing

Of the 36 health data breach incidents in July, 29 of those (80.5%) involved healthcare providers, three incidents involved health plans, and two incidents involved a business associate or third-party.  There was one incident involving a fire dispatch center.  The incident was classified as hacking, but it has been reported not to involve any PHI.  Look to databreaches.net for more updates as they become available.  It should be noted that there could be more incidents involving third-parties but there was not enough information for a number of incidents to make that determination.

There were three health data breach incidents that involved paper or film patient records.  There may have been more incidents in which paper or film records were involved, but again, some reports were lacking detail that would have enabled that determination.

Types of entities reporting.jpg

TYPES OF ENTITIES REPORTING, JULY 2017 HEALTH DATA BREACHES

 One Health Data Breach Took 14 Years to Discover

Of the reported incidents for which we have numbers, it took an average of 503 days (median = 79.5 days) for healthcare organizations to discover a breach had occurred.  It’s important to note that the mean and median are drastically different given the extreme range of the data.  Some entities discovered a breach immediately, while one incident went undiscovered for fourteen years, a result of insider wrong-doing.  This is by far the longest undetected breach that has been included in any of the Breach Barometer reports.  The longevity of this type of insider breach of patient data is extremely worrisome.  This breach affected 1,100 patient records and went completely unnoticed until someone called in a complaint.  This is a prime example of why healthcare needs to be much more proactive in detecting inappropriate access to patient information.  This organization will now face a multitude of costs associated with a breach, an unfortunate event that can now serve as a learning experience for the rest of the industry.

It also took an average of 67.5 days (median = 60 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or the State’s Attorney General.   As time to disclose consistently improves, we hope that it’s because healthcare organizations are beginning to proactively detect inappropriate access to their patient information, which will ultimately be a critical step in getting ahead of this crisis that is plaguing the industry.  The Breach Barometer: Mid Year Review details how the first half of 2017 has affected healthcare. The industry has an opportunity to make sure these trends do not continue through the remainder of the year.

Breach to Discovery.jpg

DAYS BETWEEN BREACH AND DISCOVERY, JULY 2017 HEALTH DATA BREACHES

Disc to reporting.jpg

DAYS BETWEEN DISCOVERY AND DISCLOSURE, JULY 2017 HEALTH DATA BREACHES

Breach Incidents By State

23 states are represented in the 36 health data breach incidents. California, Georgia, and Indiana each had three incidents in July, the highest of all states with health data breach incidents.  Michigan, Pennsylvania, Tennessee, and Colorado followed closely with the second highest total of two separate health data breach incidents.  It should be noted that California routinely has a relatively high number of  breach incidents, but this could be due to higher reporting entity and patient volume, and/or more robust reporting.

July 2017 BB - state data.png 
NUMBER OF HEALTH DATA BREACHES BY STATE, JULY 2017

Hacking and insider threats to patient information continue to remain a significant threat to patient privacy in 2017.  Healthcare organizations must continue to improve their security posture and educate their workforce about the ramifications of a breach.  A health data breach not only impacts the healthcare organization but also any patients that have had their information inappropriately accessed.  Reminders and continued training will hopefully help reduce the overall amount of health data breaches the industry experiences each month.  Together as an industry, we can get ahead of the crisis of patient trust that is running rampant within healthcare.  

If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.

Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.

Subscribe