Nearly 32M Patient Records Breached in 1H 2019, Report Finds

Aug. 2, 2019

The number doubles the amount of records breached over the same time period in 2018

Nearly 32 million patient records were breached in the first half of 2019, according to new data released this week in the Protenus Breach Barometer, an analysis of how data breaches are affecting the healthcare industry.

The report from Protenus, a company that provides AI-powered healthcare compliance analytics platform, revealed that there has been an increase in the number of disclosed incidents in the first half of 2019, with 285 incidents disclosed to U.S. Department of Health and Human Services (HHS) or the media from January to June 2019.

And, the number of affected patient records has doubled from 15 million in the entirety of 2018 to 32 million between this time period. As first reported in 2016, a trend of at least one health data breach per day remains in 2019, the data showed.

The single largest breach disclosed so far in 2019 was the result of hacking a medical collections agency, when a billings collections vendor of Quest Diagnostics and LabCorp suffered a breach on its web payment system. More than 20 million patient records were affected when hackers potentially gained access to highly sensitive medical information.

In fact, hacking was the cause of 60 percent of the total number of breaches throughout the first half of the year, and 88 percent of the of the breached records over that time period. Of the 135 hacking incidents, 27 of those reported specifically mentioned ransomware or malware, 88 incidents mentioned a phishing attack, and one incidents mentioned another form of ransomware or extortion.

What’s more, hospital insiders were responsible for breaching more than 3 million patient records, or about 21 percent of the total number of breaches in the first half of 2019 (60 incidents). “Insider incidents are particularly difficult to detect due to the legitimate access hospital workforce must have to quickly and effectively treat their patients and can often go undetected for several years,” as noted in the Breach Barometer report.

Further, of the 285 disclosed health data breaches that occurred between January and June 2019, 205 of them (72 percent of total incidents) were disclosed by a healthcare provider, 32 were disclosed by a health plan, 26 were disclosed by a business associate or third-party vendor, and 22 were disclosed by businesses or other organizations. And, even though most healthcare organizations have already switched over to digitized patient records, 35 breach incidents still involved paper records.

According to Protenus officials, “This data reinforces the need for health systems to build privacy programs that review 100 percent of accesses to patient data in order to prevent these breaches from occurring, saving organization and patients significant post-breach costs.”