In May, health data breaches continued to be disclosed at a rate of one or more per day, a trend first noted in the 2016 Annual Breach Barometer Report. If the Breach Barometer has taught us anything, it’s not a matter of “if” a healthcare organization will experience a data breach, but simply a matter of “when”. A lot of damage can be done when a breach goes for several years without detection, providing additional time for the information to be disseminated or time for malicious insiders to continue their activities. It is imperative that healthcare organizations educate themselves on what they can do to reduce their risk and detect breaches as soon as they occur.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for May 2017
As noted above, May continued the trend of an average of least one health data breach per day. There were 37 breach incidents first disclosed this month to HHS or the media. For the 29 incidents for which we had numbers, 255,108 patient records were affected. The largest single incident for which we had numbers involved 142,000 patient records in a database hacked and dumped by TheDarkOverLord. Other incidents may have involved even larger numbers of patient records, but we did not have definite numbers to use in our analyses.
2017 incident involving phi or medical/health information
2017 number of breached patient records
Insiders Represent Largest Portion of Breach Incidents
There has been a shift in health data breach trends for May when compared with April, as more incidents in May were the result of insiders when compared to hacking and incidents of loss and theft. Insiders were responsible for 40.54% of May’s total breach incidents (15 incidents). We have numbers for 10 insider incidents, affecting 39,491 patient records. Ten of the reported insider incidents were the result of insider-error. We have numbers for five of these incidents, which affected 19,156 patient records. These numbers would be significantly higher if insider-error incidents like misconfiguring database backup systems could have been confirmed, as these types of incidents can potentially expose millions of records. Databreaches.net reports on the complexity and specifics of these incidents in their blog post. Five of the reported insider incidents were the result of insider-wrongdoing, affecting 20,335 patient records.
For the reported hacking incidents for which we have numbers, 203,394 patient records were affected. There were three hacking incidents in which ransomware was specifically mentioned as the cause of the health data breach. It should be noted that there may be other incidents that are the result of ransomware but reports were unclear. There were three incidents that we coded as hacking after our own research because the HHS report form does not collect this specific information. There was one phishing incident that recently made the news but was actually discovered (and reported by our Breach Barometer) in September 2016, but the investigation was only completed in May 2017. It’s important to note that this incident was not included in this month’s report since it occurred and was discovered before May 2017, but it accentuates the significant delays that can occur during an investigatory process. It should be noted that the number of patient records affected from hacking incidents could be substantially higher in May, as there were several incidents in which patient information was posted on the Dark Web, but it was inconclusive as to whether the patient data was real or fake. You can read more about these incidents on the Databreaches.net website.
It’s important to note that there were four reported incidents of patient records theft, and we have numbers for three of those incidents, affecting 4,122 patient records. Four incidents were the result of a third-party or business associate - there may be more incidents, but not enough information was provided to make a determination.
TYPES OF INCIDENTS, may 2017 HEALTH DATA BREACHES
^INCLUDES INCIDENTS REPORTED TO HHS WHERE THERE WAS INSUFFICIENT INFORMATION TO CATEGORIZE THE INCIDENT
Types of Entities Reporting
Of the 37 health data breach incidents in May, 29 of those (81%) were reported by healthcare providers, three incidents were reported by health plans, and four incidents reported by a business associate or third-party (a lawyer, document mailing business, password manager business, and whitehat). It should be noted that there could be more incidents involving third-parties but there was not enough information for a number of incidents to make that determination.
It is also worth noting that there were four health data breach incidents that involved paper or film patient records. There may have been more incidents in which paper or film records were involved, but again, some reports were lacking detail that would have enabled that determination.
TYPES OF ENTITIES REPORTING, may 2017 HEALTH DATA BREACHES
Time to Report Improves While Detection Remains Worrisome
May continues to show significant promise for healthcare organizations reporting their health data breaches. For the incidents for which we have numbers, an impressive 83% of entities reported their health data breach to HHS within the required 60 day window.
Of the incidents reported in May for which we have numbers, it took an average of 441 days for healthcare organizations to discover a breach had occurred, which is a huge jump from April’s average of just 51 days to breach discovery. It also took an average of 59 days from the time the breach was discovered to when it was reported to HHS. It should be noted that one reporting entity notified HHS within the 60-day window, after an investigation was complete, but the investigation took 6 months. It begs the question as to why investigations are taking so long - organizations should consider using more advanced resources to help expedite that process. As time to report continues to improve, healthcare organizations need to also spend time on shortening the time it takes to detect a breach has even occurred, helping to mitigate that overall impact a health data breach can have on the organization, as well as its patients.
DAYS BETWEEN BREACH AND DISCOVERY, may 2017 HEALTH DATA BREACHES
DAYS BETWEEN DISCOVERY AND REPORTING, may 2017 HEALTH DATA BREACHES
Breach Incidents By State
19 states are represented in the 37 health data breach incidents. California had six incidents, which is the most reports of any state in May. Florida followed closely with the second highest total of five separate health data breach incidents. It should be noted that California routinely has a relatively high number of breach incidents, but this could be due to higher reporting entity and patient volume, and/or more robust reporting.
NUMBER OF HEALTH DATA BREACHES BY STATE, may 2017
While healthcare organizations show continued improvement in reporting their health data breaches to HHS, there are still alarming instances in which it is taking several years for a breach to be detected. Three incidents reported in the May Breach Barometer went undetected for over three years, which shows that while reporting times have greatly improved, healthcare organizations need to focus on improving breach detection. This information should serve as a call-to-action for the healthcare industry - the time is over to bury our heads in the sand. We should learn from one another on steps that can be taken to reduce the overall risk of experiencing a breach, as well as openly discuss the industry’s privacy and security shortfalls. Armed with this knowledge, we can better protect patient privacy and ensure patient trust when they are seeking healthcare at any of this country’s healthcare organizations.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.
Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.