Each month in 2016 has seen substantial PHI breaches, causing an influx of records for sale on the dark web, which is now causing a sudden price collapse. Hacking and ransomware continue to loom large with several instances of patient data irretrievably lost.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for October 2016
Healthcare organizations might find comfort in knowing that the number of breach incidents, as well as total patient records breached, is down again for a second month after a summer-long uptick in record-setting breaches. This month’s analysis shows 35 incidents either reported to HHS or first disclosed in media or other sources. It’s important to note that there are some incidents reported to HHS this month that are not included in October totals — this is because they were included in previous Breach Barometer reports, and for a listing of specific incidents included in October statistics, see DataBreaches.net. Information was available for 31 of these incidents, totaling 776,533 records breached.
While the number of incidents per month is down compared to this summer, it’s still considerably higher than incidents reported in early 2016. It will be interesting to see if this trend continues given the recent drop in pricing for medical records on the dark web — only time will tell.
664K Patient Records Breached Due to Hacking or Ransomware
Forty percent (14 incidents) of breaches in October were hacking, malware, or ransomware incidents, affecting 664,549 patient records. It’s important to note that there were two known hacking incidents where the total number of patient records wasn’t available. If data regarding these incidents were available, this total could be substantially higher. Of the fourteen incidents for which we have numbers, four specifically involve ransomware and another two involve ransom/extortion (but not ransomware) as the source of the breach. Three entities reported that patient data was irretrievably lost due to ransomware (one report) or during recovery from ransomware (two reports). Two entities that reported data loss during ransomware recovery were clients of a business associate who also reported data loss as a result of the same ransomware incident. Those earlier reports were included in our September Breach Barometer. Unfortunately, we do not yet know how many patient records were irretrievably lost.
The two hacking incidents with ransom demands both involved the criminal actor known as TheDarkOverLord. Neither incident has yet appeared on HHS’s public breach tool, so we only have TheDarkOverLord’s claims as to the number of records acquired in the hacks. Because databases generally contain a lot of duplicates, the number of records claimed may significantly overestimate the number of patients actually affected.
As TheDarkOverLord has done in the past, there were samples dumped from the two entities’ databases on public file-sharing sites to pressure them into paying the ransom demands. “Although TDO has claimed that some of his victims paid his ransom demands, there’s not evidence that any of his victims have ever paid any ransom,”said Dissent of DataBreaches.net. “Because giving into a extortionist demands just encourages more extortion attempts, if operations are not threatened and you have backups so that there’s no serious risk of medical records being corrupted or wiped out, entities should probably refuse to pay the ransom.”
Breaches resulting from insiders resulted in thirty-seven percent of October breaches, five of which were accidental (four incidents affected 9,477 patient records) and 8 of which were insider wrongdoing (seven incidents affected 70,497 patient records). For the 11 of the 13 insider incidents for which we have numbers, 79,974 records were involved.
Types of Entities Reporting
29 incidents involved healthcare providers (82.8 percent of reported entities), followed by two incidents that were reported by health plans, and three incidents reported by a Business Associate (BA) or vendor. Seven of the October incidents involved Business Associates or vendors, but there may be more, as it is not always clear from initial reports which type of entity reported the breach and which was responsible. For the five BA incidents for which we have numbers, 581,882 patient records were involved. As explained above, two of these incidents were related to a BA incident reported in the September Breach Barometer. There was one incident reported by a Health Information Exchange (HIE), 2.9 percent of total entities reported in October.
It is worth noting that paper records were involved in six incidents. There may be more, however some reports were lacking detail that would have enabled that determination.
Length of Time to Discover and Report Breaches
As we reported over the last few months, there are some breach incidents that are not publically disclosed for months, or in some cases, several years. Of the incidents reported in October for which we have data, it took an average of 63 days from the time the breach has occurred to when HHS is notified, which is substantially less than the 151 average number days it took from breach to reporting for September breaches. Even with the decrease in time to reporting, it’s important to stress the importance of being proactive when monitoring patient data, as the sooner a breach is discovered, the sooner the healthcare organization can mitigate the risk of the significant damage that can be done with a patient’s sensitive health data.
Breach Incidents By State
19 states are included in the 35 total incidents. California had 4 incidents, which is the most reports of any state in October. There was one incident in which a location was not indicated.
Sign-up to be to receive our monthly Breach Barometer to get the latest info on data breaches affecting healthcare.