The latest year-in-review Breach Barometer report from Protenus paints a stark picture—2016 averaged at least one health data breach per day, affecting more than 27 million patient records.
Protenus, a healthcare cybersecurity vendor, develops the Breach Barometer reports in collaboration with DataBreaches.net and the annual analysis is based on 450 breach incidents either reported to the U.S. Department of Health and Human Services (HHS) or disclosed in the media or other sources during the year. With more than one health data breach per day for the entire year, these breaches resulted in 27,314,647 affected patient records.
“Even as healthcare leaders became increasingly aware of the importance of health data protection, the number of breach incidents remained relatively steady each month of the year, highlighting the continued threat to patient data,” the report authors wrote.
If 2016 trends continue, according to the report authors, 2017 can expect to see a continued average of at least one health data breach disclosed per day.
Some key highlights from the breach barometer report on 2016 health data breaches:
- Close to half (43 percent) of the data breaches (192 incidents) were a result of insiders, affecting 2 million patient records.
- Of the insider incidents for which data was available, 99 were a result of insider-error or accident and 91 incidents were a result of wrongdoing.
- The average number of breached patient records due to insider-error was more than three times the number attributed to insiders with malicious intent.
- Hacking and ransomware were responsible for 27 percent of all healthcare data breaches
- Hacking incidents impacted 23,695,069 patient records
- There were so many patient records put up for sale on the dark web in 2016 that the price per record dropped significantly as the market become flooded.
- While hacking accounted for the majority of patient records breached in 2016, insider incidents resulted in a larger number of breach incidents (120 vs. 192 respectively).
- On average, health data breaches take 233 days to discover and 344 days to report
- The time to discovery specifically in cases of insider wrongdoing was more than double that—607 days.
The report authors concluded, “This year’s data has shown that the frequency of breaches has been steady and will continue to be until health data security becomes a top priority for healthcare organizations. This data shows that external or internal bad actors are not being deterred from wreaking havoc on healthcare organizations and their patients. 2017 will continue to see this level, or even greater levels, of health data breaches if healthcare organizations don’t take steps to reduce their risk.”
Further, the report authors emphasized the need to focus on insider threats.
“The healthcare industry should prepare for an increase in insider health data breaches until organizations further require additional training and utilize technology to detect inappropriate accesses to the medical record, further reducing their breach risk,” the report authors wrote.
