A recent report has stated that patient records affected by health data breaches have hit a four-year low in 2017. Unfortunately, while these findings are promising, the number of breach incidents remains steady and continues to represent a constant threat to patient data security. There also seems to be a continuing trend in which health data breaches that have affected the most patient records in a given month are the result of hacking while breaches that have taken the longest to detect are the result of insiders. February continues this trend, with a ransomware attack responsible for the largest single incident of the month and an insider-error incident that continued for over four years before it was detected by the healthcare organization. There was also one incident that was the result of insider-wrongdoing, and this particular case highlights just how insidious insider-wrongdoing breaches can be.
Findings for February 2018
There were a total of 39 health data breaches reported to HHS or disclosed to the media in February 2018. We have data for 28 of those incidents, which affected 348,889 patient records. The single largest breach in February involved a ransomware attack on a New York-based healthcare organization that affected 135,000 patient records. The hackers gained access to patient data that included names, DOB, addresses, dates of service, diagnosis codes, procedure codes, insurance information, and in some cases, Medicare information including Social Security numbers. An investigation did not find any evidence that the attackers copied the records, but it was unable to definitively verify this. As a result, the breached organization is offering affected patients a one-year membership for fraud detection and identity-theft protection tools.
Insiders Responsible for 51% of Affected Patient Records
There were 16 incidents in February (41% of total breach incidents) that were the result of insiders. We have data for 13 of those incidents, which affected 177,247 patient records (51% of all breach patient records). Notably, 94% of insider-related incidents (15 incidents) were the result of insider-error. We have data for 12 of these incidents that affect 179,967 patient records. Significantly, there was only a single instance of insider-wrongdoing this month, which affected 280 records, but it was a particularly egregious case. This incident involved a pediatrician providing a pharmaceutical company the identifiable health information for 280 pediatric patients so the company could market a costly new drug to these targeted patients. The pediatrician eventually gave the pharmaceutical company his login credentials so the sales representatives could access the EMR and look for more potential customers. While this type of breach can be one of the most difficult to detect due to credential sharing, there is AI-powered technology available to allow healthcare organizations to promptly detect abnormal user behavior and thwart these bad actors from taking advantage of patient vulnerabilities.
There were 13 incidents (33% of total breach incidents) that involved hacking in February. We have data for eight of those incidents, which affected 160,381 patient records. It’s important to note that while hacking incidents affected 46% of the total number of breached records this past month, the numbers could be higher as there were five incidents in which data was unavailable. Ransomware or malware was specifically mentioned in four incidents, which affected 144,925 records, and phishing was specifically mentioned in two incidents, which affected 6,793 records.
There were also three health data breaches in February that involved the physical theft of patient records. We have data for one of those incidents, which affected 623 patient records. There were also two incidents in which 1,304 patients records were discovered to be missing.
There were a total of eleven incidents that involved business associates (BAs) or third-party vendors. We have information for eight of these incidents (24% of all breach incidents in February) that affected 118,078 records (33% of total patient records). There were three instances in which a business associate was a victim of a hacking incident, five insider-error incidents, and one incident in which a BA was involved in patient records that were lost or missing. Nevertheless, it should be noted that there could be even more incidents involving third-parties, but there was not enough information to make that determination.
Lastly, there were five incidents for which we did not have enough information to classify them. Data was available for four of these incidents, which affected 9,334 records.
Types of Entities Disclosing
Of the 39 health data breaches that occurred in February, 23 of them (59% of total incidents) were reported by a healthcare provider, eight were reported by a health plan, four were reported by a business associate or third-party vendor, and four were reported by businesses or other organizations.
There were also seven breach incidents that involved paper records. We have data for all seven, which affected 122,607 patient records. There may have been more incidents in which paper or film records were involved, but some reports were lacking detail that would have enabled us to make that determination.
One Incident Remained Undiscovered for over Four Years
Of the 13 health data breaches for which we have data, it took an average of 325 days from when the breach occurred to when it was discovered (median of 34 days). There was a wide split between the data, with some incidents taking a short time to discover, while others went on for months and even years. The longest incident of the month was the result of insider-error and took 1510 days (over four years) to detect. The healthcare organization had taken over onsite clinics for three of its clients. In February 2017, that organization became aware that there was an issue with their health record system and began an investigation. In December 2017, the healthcare organization found a technical issue which allowed the employees of their clients to access more information within the record system than those employees should have had been given access to. According to the organization’s report to the HHS, 4,549 patient records were affected.
Of the 20 incidents for which we have data, it took an average of 68 days (median 59 days) from when a breach was discovered to when it was disclosed to HHS, the media or other sources. This average is an improvement over January findings, where it took an average of 96 days to disclose a breach had occurred. It is important to note that there is only information available for approximately half of the breaches disclosed in February, making it difficult to draw notable conclusions from the available data.
Breach Incidents by State
23 states (including Puerto Rico) are represented in this month’s 39 health data breaches. California had by far the most incidents of any state with six, while Georgia and Wisconsin were in second, each with three breaches. It should be noted, however, that California routinely has a relatively high number of breach incidents, but this could be due to higher reporting entity and patient volume, and/or more robust reporting.
There is some good news for the healthcare industry according to the fourth annual Healthcare Breach Report, which found that the number of patient records affected by health data breaches reached a four-year low in 2017. Although the number of breach incidents continues to hold steady, the reduced number of affected patient records seems to indicate that healthcare organizations haven’t suffered from massive hacking incidents like we saw in 2015 and 2016. Both the Verizon report and the Breach Barometer report find that insider incidents — both insider-error and insider-wrongdoing — represent the greatest risk to patient information, and have pointed out that the healthcare industry is unique in that its insiders are the largest threat to the security of patient data. Healthcare organizations need to direct their attention to proactively detecting and preventing when hospital insiders misuse their system credentials and inappropriately access patient information. This ability to audit every access to patient data will not only thwart bad actors, but also reduce risk to the organization, and increase patient trust.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website or subscribe to automatically receive the report each month.