March Health Data Breaches: Time to Report Improving, but Time to Discovery Still Troubling

After a relatively quiet start to the year, there has been an uptick in the number of health data breach incidents and a drastic increase in the number of breached patient records this month, with almost 700K patients breached in a single incident.  Also of note is that a recent report found that academic medical centers are substantially more likely to be breached than other health systems.  These findings reinforce the need for academic health systems to pay particular attention to how they are protecting their patient data and what proactive measures they have put in place to thwart these threats.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Receive our Breach Barometer each month to stay on top of the breaches affecting healthcare.

Findings for March 2017

The first quarter of 2017 ended with a sharp spike in the total number of affected patient records, with March having more than 2.5 times the number of breached records in January and February combined.  While the increase in the number of affected patient records was drastic, the number of incidents was a bit more palatable.  There were 39 separate breach incidents in March, affecting 1,519,521 patient records.  Our analysis is based on incidents either reported to HHS or disclosed in media or other sources during March 2017.  Information was available for 35 of those incidents. The largest single incident involved 697,800 patient records and was reported to HHS as “theft-other.”

2017 INCIDENTS INVOLVING PHI OR MEDICAL/HEALTH INFORMATION

2017 Number of breached patient records

Insider Threats Remain Significant

Healthcare continues to see insiders as a very real problem when it comes to truly protecting patient data.  A recent study found that only 28% of hospital employees demonstrated the necessary awareness to prevent incidents that could lead to exposure of PHI and personal data.  Insiders were responsible for 44% of March’s total breach incidents (17 incidents), affecting 179,381 patient records.  Ten of the reported insider incidents were the result of insider-error.  For the insider-error incidents for which we have numbers, 14,219 patient records were affected.  Seven of the reported incidents were the result of insider-wrongdoing.  We have numbers for five of these incidents, which affected 165,162 patient records.

As we have seen in months prior to February, hacking accounted for a significant percentage of records and incidents (11 incidents accounted for 28% of total incidents). The hacking incidents reported this month affected 600,270 patient records.

It’s important to note that theft of patient records was reported as being responsible for  737,131 patient records affected by breaches. That would appear to be an alarming increase from February in which only 10,107 patients records were stolen or went missing, but for the fact that we have one report with almost 700,000 records for which we have no details and no confirmation of actual theft.

TYPES OF INCIDENTS, march 2017 HEALTH DATA BREACHES        

^INCLUDES INCIDENTS REPORTED TO HHS WHERE THERE WAS INSUFFICIENT INFORMATION TO CATEGORIZE THE INCIDENT

TYPES OF INCIDENTS BY PATIENT RECORD VOLUME, MARCH 2017 HEALTH DATA BREACHES

Of the 39 health data breach incidents in March, 33 of those (84.6%) were reported by healthcare providers, four incidents were reported by health plans, one incident was reported by a business associate or third-party, and one was disclosed in a media report but has not been confirmed by the entity.

So far in 2017, third-party breaches have represented a substantial portion of total breached patient records, 82% in January and 21% in February.  However, in March third-parties were only responsible for 3% (one incident) of total breached patient records.It should be noted that there could be more incidents involving third-parties but there was not enough information for a number of incidents to make that determination.

It is also worth noting that there were three health data breach incidents that involved paper or film patient records.  For the two incidents for which we have numbers, 804 patient records were affected.  There may have been more incidents in which paper or film records were involved, but again, some reports were lacking detail that would have enabled that determination.

TYPES OF ENTITIES REPORTING, MARCH 2017 HEALTH DATA BREACHES

Length of Time to Discover and Report Breaches

Over the past few months, we have reported that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS.  In March, there has been a substantial shift in the amount of time it has taken healthcare organizations to discover and report when they’ve had a breach.  Almost all of the breaches for which we have the appropriate data reported their health data breach to HHS within the required 60-day window.  It should also be noted that HHS OCR has recently started fining entities for not reporting a health data breach within the required time frame.  It leads one to ask - have recent OCR fines led to an increase in diligent and prompt reporting of health data breaches?

Of the incidents reported in March for which we have data, it took an average of 45 days from the time the breach was discovered to when it was reported to HHS.  This is a drastic improvement from the 478 days it took HHS to be notified of breaches reported in February.  There were two incidents in which it took almost three years (1,087 and 1,088 days respectively) for the organizations to discover a breach had even occurred.  One of these incidents was the result of insider-wrongdoing and resulted in the termination of several hospital employees.  This serves as reminder that employee training and proactive privacy monitoring are crucial in detecting suspicious activity within the EHR to mitigate and reduce the length someone has inappropriate access to patient medical records.

DAYS BETWEEN BREACH AND DISCOVERY, MARCH 2017 HEALTH DATA BREACHES

DAYS BETWEEN DISCOVERY AND REPORTING, MARCH 2017 HEALTH DATA BREACHES

Breach Incidents By State

20 states are represented in the 39 health data breach incidents. Texas had six incidents, which is the most reports of any state in March.  Tennessee, Pennsylvania, Kentucky, California, and Missouri followed closely with the second highest total, three separate health data breach incidents in each state.  It should be noted that California seems to always have a high number of breach incidents, but this could be the case due to reporting entity and patient volume.

NUMBER OF HEALTH DATA BREACHES BY STATE, march 2017

Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.