In July and August, it appeared that there were some signs of progress in terms of how long it took to discover a health data breach. While we’d like to report a new emerging trend, unfortunately the data provided a false sense of improvement. In the same time frame, healthcare has also experienced an uptick in the number of hacking incidents, which are often quickly discovered due to the effect they have on an organization’s daily operations. As a result, some of this improvement may simply be attributable to more hacking, rather than faster discovery, though we’ll be tracking this carefully. Indeed, while hacking is quickly detected, insiders continue to go unnoticed, creating a costly aftermath for both healthcare organizations and patients alike.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for August 2017
Since the start of 2017, we have seen a consistent trend of seeing at least one health data breach per day, and August is unfortunately no outlier in this regard. There were 33 breach incidents first disclosed this month to HHS or the media. For the 31 incidents for which we had numbers, 673,934 patient records were affected. The largest single incident for which we had numbers involved 266,123 patient records in a hacking incident that involved ransomware.
Hacking Accounted for 54.5% of Incidents in August
The shift in health data breaches first mentioned in the July Breach Barometer continues through August, with hacking incidents outweighing insider incidents in both frequency and the number of patient records affected. In August, healthcare experienced 18 hacking incidents, accounting for 95% of all breached patient records. We have numbers for 17 of these incidents, affecting 637,575 patient records. There were five incidents that specifically mentioned ransomware as the cause of the health data breach. One organization experienced two phishing attacks in as many months. It should be noted that there may be other incidents coded as hacking that were the result of ransomware but reports were unclear.
In addition to the known incidents of ransomware, it should be noted that researchers are reporting a resurgence of attacks on unsecured MongoDB installations and Rsync backup devices that are resulting in these devices being wiped out or ransomed. While it is unclear how many of breached installations or servers contained health or patient data, this should remind healthcare organizations to check configuration settings and test the security of all backup servers and devices.
Extortion demands and non-automated ransom demands also continue to plague the healthcare industry, although in many cases, media reports and HHS reports make no mention of the extortion component. As one example, there was one incident first disclosed in August by a covered entity that involved an attack by TheDarkOverlord (TDO), but the public disclosure did not include reference to the associated extortion attempt. DataBreaches.net is also aware of another group of blackhat hackers who have attempted to extort a healthcare entity. The entity reported the incident to HHS, but there wasn’t a report of the extortion attempt or the fact that the hackers have already dumped approximately 10,000 patients’ records as part of applying pressure to the entity to pay the extortion. This information reinforces that the HHS tool does not provide the full picture of how health data breaches are truly affecting healthcare.
Insiders Responsible for 27.3% of Breach Incidents
Insiders were responsible for 27.3% of August’s breach incidents (9 incidents). There were numbers available for 8 insider incidents, affecting 31,554 patient records. Seven of the reported insider incidents were the result of insider-error. We have numbers for six of these incidents, affecting 26,831 patient records. Two of the reported insider incidents were the result of insider-wrongdoing, affecting 4,723 patient records. In one case, an organization that suffered a hacking incident also ended up suffering from an insider incident during the notification process. The notification letters that included sensitive information were sent to the wrong recipients, creating another breach altogether.
It’s important to note that there were three incidents of physical theft of patient records, which affected 2,212 patient records. Five incidents were the result of third-parties or business associates (BA); there may be more incidents, but not enough information was provided to make a determination since the HHS breach tool has a tendency to underreport these types of incidents. We have information for three of these incidents, affecting 24,258 patient records.
Types of Entities Disclosing
Of the 33 health data breach incidents in August, 24 of those (72.7%) involved healthcare providers, six incidents (18.2%) involved health plans, one incident involved a business associate or third-party, one incident involved a pharmacy, and one incident involved a private school. The private school accidentally sent out an email with the sensitive medical information on 86 students, including allergies, medical conditions, psychiatric diagnoses, and medications. It should be noted that there could be more incidents involving third-parties but there was not enough information for a number of incidents to make that determination.
It is also worth noting that there were six health data breach incidents that involved paper or film patient records. We have numbers for all six incidents, affecting 18,480 patient records. Two of these incidents involved PHI that was viewable in envelope windows — it begs the question of why envelopes with viewable windows were used to send sensitive health data. There may have been more incidents in which paper or film records were involved, but again, some reports were lacking detail that would have enabled that determination.
Reduction in Breach Discovery is a False Sense of Optimism
Of the reported incidents for which we have numbers, it took an average of 138 days (median = 31 days) for healthcare organizations to discover a breach had occurred. It’s important to note that the mean and median are drastically different given the extreme range of the data. Some entities discovered a breach immediately, while one incident went undiscovered for almost two years, a result of insider-wrongdoing. This breach affected 4,721 patient records and went completely unnoticed until the breach was reported to the healthcare organization.
While at first glance, it appeared that there was an emerging trend that health data breaches were taking significantly less time to discover, further analysis suggested that the decreasing time to discovery may simply be an artifact of the recent uptick in hacking incidents. For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days). Generally, hacking incidents are discovered much sooner than insider incidents because of the disruption to the organization’s daily operations. Additional analyses will be conducted going forward to see this is an emerging trend or if this is directly associated with the influx of hacking incidents.
In previous Breach Barometer reports, most of the health data breaches that remained hidden for a significant amount of time — often years — were the result of insiders. This should serve as a reminder to healthcare organizations that while hacking can create a large splash due to the large number of affected patient records in one incident, it is the insider threats to patient data that can go undetected for extended periods of time. This is often the case because insiders have legitimate access to the EHR and ancillary systems. Advanced analytics are necessary in order to fully understand how patient information is accessed so that when a breach occurs, it can be detected, mitigated, and resolved as quickly as possible.
It also took an average of 53 days (median = 58 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or the State’s Attorneys General. It’s promising to see that healthcare organizations are routinely reporting health data breaches within the mandated 60-day window. Hopefully breach detection will also improve through the use of the advanced technologies beginning to be used in healthcare.
Breach Incidents By State
18 states are represented in the 33 health data breach incidents. Texas had five incidents, which is the most reports of any state in August. It should be noted that the breach incidents that occurred in Texas were not a result of hurricane Harvey. California followed closely with the second highest total of four separate health data breach incidents. It should be noted that California routinely has a relatively high number of breach incidents, but this could be due to higher reporting entity and patient volume, and/or more robust reporting.
The increase in hacking incidents and the duration of undiscovered insider incidents reinforce the need for healthcare to proactively detect health data breaches. The sooner breaches are discovered, the sooner an organization can begin to mitigate the repercussions of a health data breach — for both the organization and its patients. Specific attention should focus on insider threats to patient data, as these bad actors with malicious intent can create significant havoc, both personally and financially for the affected patients. Thought leaders in healthcare consistently discuss ways organizations can make strides to continue to improve breach detection and resolution. Hopefully the industry is heeding their advice and 2017 will see continued improvement throughout the remainder of the year.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.