Key Takeaways from the 2021 Breach Barometer

Though it dominated media coverage, COVID-19 wasn't the only silent enemy healthcare organizations battled in 2020. Amid the chaos of the pandemic, hospitals and health systems were also ravaged by health data breaches, which were up 30% in 2020 compared to 2019. A new trend emerged of at least two data breaches per day.

These are some of the key findings contained in the 2021 Protenus Breach Barometer, a retrospective report of health data breaches that occurred in 2020. The number of reported health data breaches has risen every year since Protenus began publishing the Breach Barometer in 2016.

Download the 2021 Breach Barometer® for the latest insights on how data breaches are impacting the healthcare industry.

The latest Breach Barometer is based on 758 health data breaches reported to HHS, the media, or some other source in 2020, which represented an increase from the 572 breaches reported in 2019. Data on patient impact was available for 609 of the incidents in 2020, which compromised more than 40.7 million records.

Bear in mind that these numbers only reflect incidents that have been detected and reported, and HHS only requires reporting of breaches that affect more than 500 patients. Therefore, the full picture is likely much more grim.

Hacks climb for 5th straight year

Hacking incidents increased for the fifth year in a row, with the number of public reports up 42% from 2019. The relatively constant occurrence of these kinds of incidents throughout the year was alarming enough that in October, the Cybersecurity and Infrastructure Security Agency, the FBI, and HHS warned of "an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers."

Criminals flagrantly exploited healthcare vulnerabilities as these organizations weathered massive pandemic-related challenges, including sudden spikes in telehealth use and remote work, culminating in 470 hacking breaches reported throughout 2020, or 62% of all breaches for the year. The number of records exposed was available for 277 of those hacking incidents, which affected a combined 31,080,823 patient records.

To put it plainly, hacking incidents alone in 2020 made more than 31 million patients vulnerable to threats such as identity theft and exploitation. Stolen data can be sold on the black market for as much as $1,000, depending on the completeness of the information, threatening a patient's livelihood and right to privacy.

Under obligation to do no harm, healthcare organizations must adopt advanced tools capable of preventing hacks and their frightening consequences for patients. By making investments to protect patients, health systems in turn protect themselves from severe reputational damage, financial penalties, or care disruptions stemming from hacking incidents.

Insider breaches soar

Behind hacking, insider incidents were the second most common category of data breaches, representing 20% of all events in 2020.

Breaches involving healthcare insiders rose after a four-year decline, and the number of records affected more than doubled from 2019. The number of patient records compromised was available for 111 insider incidents, which affected a combined total of more than 8.5 million records. This is a staggering increase from the roughly 3.8 million records known to be breached by insiders in 2019.

While there were significantly more patient records breached by insiders without malicious intent than there were records breached by insider-wrongdoing (which includes employee theft of information, snooping in files, or other cases where employees appear to have knowingly violated the law), the insider-wrongdoing incidents pose a unique danger: employees abusing their legitimate access to patient information can often go undetected for long stretches.

The pandemic specifically elevated the risk of illegitimate insider access by creating the temptation to snoop on someone's COVID-19 status or vaccination record. Realizing this new threat, the privacy officer of one Alaska health system issued a reminder to employees in March 2020 that still bears repeating a year later:

"While you may be anxious to obtain results about a patient, any medical information will be delivered directly by our providers," the system's privacy officer wrote in a March 2020 letter. "We do not tolerate snooping in the EMR, no matter the reason."

The need for upheaval

A zero-tolerance stance on snooping is important, but it will never be enough to prevent innocent mistakes or nefarious hackers. Only by using compliance analytics to calculate the risk score of any anomalous access can organizations surface and prioritize interactions with data that truly warrant attention.

The attacks outlined in the 2021 Breach Barometer — and the knowledge that these numbers offer just a glimpse of the bigger picture — should serve as a wake-up call for organizations still relying on random manual audits to help achieve compliance. To better protect patient information, preserve financial standing, and prevent care disruptions that can result from breaches, organizations must trade in their outdated, ineffective compliance processes for game-changing healthcare compliance analytics.

Download the 2021 Protenus Breach Barometer® to better understand how data breaches are affecting healthcare during the global pandemic.