April is the second month in which there seems to be noticeable improvement in the time it takes for healthcare organizations to report their breaches to HHS. Last month (March) HHS stepped up their enforcement by beginning to fine healthcare organizations not reporting health data breaches within the required 60-day window. It begs one to ask if healthcare organizations are becoming more diligent in responding and reporting breaches to patient data as a result of this regulatory scrutiny. Transparency about the data breaches that are plaguing the healthcare industry will help organizations and regulators to better understand the breadth of the problem as well as to determine how to best mitigate and defend institutions from becoming further victimized.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Findings for April 2017
2017 seems to be on a steady course when it comes to the number of breach incidents and number of patient records affected each month. March totals were significantly higher than April’s totals, mostly due to a single large breach incident in March. There were 34 separate breach incidents in April, affecting 232,060 patient records. Our analysis is based on incidents either reported to HHS or disclosed in media or other sources during April 2017. Information was available for 28 of those incidents. The largest single incident involved 93,323 patient records and was reported to HHS as “hacking/IT event.”
Hacking Captures Press, While Insiders Wreak Havoc
The most recent Verizon DBIR report found that 68% of breaches to healthcare data were the result of insiders. This reinforces our routine finding that while hacking receives significant press coverage, it’s the malicious bad actors that stem from inside healthcare organizations that can cause the most destruction. This is due to the simple fact that they often go undetected because they have legitimate access to patient data and aren’t the immediately obvious “red flag.” It should be noted that the Verizon piece reported on confirmed breaches and not just incidents, so the percentage of insiders responsible for health data breaches could be even higher.
Insiders were responsible for 29% of April’s total breach incidents (10 incidents). We have numbers for eight incidents, affecting 9,251 patient records. Five of the reported insider incidents were the result of insider-error, affecting 7,037 patient records. Four of the reported incidents were the result of insider-wrongdoing. We have numbers for three of these incidents, which affected 442 patient records.
As we have continued to note health data breach trends, hacking accounted for a significant percentage of records and incidents (16 incidents accounted for 47% of the total breaches). For the reported hacking incidents for which we have numbers, 171,268 patient records were affected. There were five incidents in which ransomware was specifically mentioned as the cause of the health data breach. It should be noted that there may be other incidents that are the result of ransomware but reports were unclear. There were three incidents that were coded as hacking because the HHS report form does not collect this specific information, but there were three incidents in which employees first fell for a phishing attack. Therefore, it’s difficult to know precisely how many external attacks were reported in April that involved phishing to gain access to the systems.
One of the hacking incidents disclosed in April is one of the worst breach incidents of the year, due to the highly sensitive nature of the patient data stolen and then sold to an unknown third party. This health data breach went relatively unnoticed as it did not get national media coverage. It seems that in 2017 the threat has elevated for breaches of this caliber, and entities now have to worry about their patient data being listed for sale on the Dark Web before they even know a breach has occurred. In 2016, hackers like TheDarkOverlord were giving entities a heads up that their data would be sold if demands were not met. This year, we’ve seen data for sale before any warning or alerts were given to the entity. Databreaches.net commented, “This breach might have been worse if a well-trained answering service had not immediately relayed my message to the clinic’s owner despite the day and hour. Their foresight in having escalation procedures in place enabled them to begin incident response immediately upon discovery of the breach.” Technologies that leverage advances in machine learning and artificial intelligence can enable organizations to know as soon as there is inappropriate access to patient data, allowing the organization to respond promptly and mitigate potential damages.
It’s important to note that there were five reported incidents of patient records theft. There was information for four of these incidents, resulting in 39,824 breached patient records.
Types of Entities Reporting
Of the 34 health data breach incidents in April, 27 of those (79.41%) were reported by healthcare providers, two incidents were reported by health plans, two incidents were reported by a business associate or third-party, and three were classified as ‘other’ (a school district, county, and prescription assistance program).
Compared to last month, the number of health data breaches that occurred as a result of third parties has increased from only one incident in March to five separate incidents in April. It should be noted that there could be more incidents involving third-parties but there was not enough information for a number of incidents to make that determination.
It is also worth noting that there were five health data breach incidents that involved paper or film patient records. There may have been more incidents in which paper or film records were involved, but again, some reports were lacking detail that would have enabled that determination.
Length of Time to Discover and Report Breaches
It seems that April is continuing the promising trend of healthcare organizations reporting their health data breach within the required 60-day window. The March Breach Barometer first reported that it looked as if healthcare organizations were becoming more diligent about reporting breaches since HHS began focusing on organizations that reported health data breaches late.
Of the incidents reported in April for which we have data, it took an average of 51 days for healthcare organizations to discover a breach had occurred. It also took an additional average of 59 days from the time the breach was discovered to when it was reported to HHS. Of the incidents for which we have data, 66% of entities reported their health data breach to HHS within the required 60-day window.
Breach Incidents By State
19 states are represented in the 34 health data breach incidents. Texas had four incidents, which is the most reports of any state in April. Florida, Michigan, New York, and Ohio followed closely with the second highest total, three separate health data breach incidents in each state.
The April Breach Barometer shows continued improvement in healthcare organizations’ efficiency in reporting their breaches to HHS. This is encouraging, as it helps the healthcare organizations learn from each other with respect to how they better detect and mitigate health data breaches. These incidents don’t need to be swept under the rug out of shame, but can be used as an unfortunate learning experience to educate the entire industry. Together, we can make significant improvements in protecting patient privacy and ensuring patient trust as we navigate the challenging health data breach landscape collectively.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.
Sign-up to be the first to receive our monthly Breach Barometer report to get the latest information on the data breaches affecting healthcare.