In February, hacking incidents only accounted for 12 percent of total healthcare data breach incidents, yet insiders were responsible for almost 60 percent of the total breach incidents during the month, which points to a troubling trend, according to the latest Protenus “Breach Barometer” report.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. This month’s analysis showed 31 breach incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources, which is the same number of incidents as reported in January.
While the number of incidents remained the same, February experienced a 47 percent drop in the number of affected patient records (206,151 vs. 388,207), according to Protenus. The largest single incident involved 100,000 patient records, and was the result of insider-error.
In previous months, healthcare saw hacking incidents that affected considerable amounts of patient data, usually totaling a bit more than a quarter of total incidents. In February, however, hacking resulted in only 12 percent of total breach incidents, or four incidents. For hacking incidents for which Protenus has numbers, these four incidents affected 44,144 patient records.
Insiders were responsible for 58 percent (18 incidents) of February’s total breach incidents, affecting 146,162 patient records. Protenus’ analysis found that eight of the eighteen insider incidents were the result of insider-wrongdoing, affecting 12,020 patient records. Nine of the incidents were the result of insider-error, affecting 133,418 patient records. One insider incident, involving 724 records, could not be classified due to lack of provided information, Protenus reported.
The rise in the number of insider-related breach incidents point to a troubling trend in healthcare. According to Protenus’ November “breach barometer” report, in which there were 57 data breach incidents, 54 percent of the total breaches affecting patient data were a result of insiders, or 31 incidents.
In a year-end review of healthcare data breaches, Protenus researchers concluded that insiders are a very real risk to the security of patient data. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating. The healthcare industry should prepare for an increase in insider health data breaches until organizations further require additional training and utilize technology to detect inappropriate accesses to the medical record, further reducing their breach risk,” the report authors wrote.
Another troubling factor is how long it takes for healthcare organizations to discover a breach and the length of time from discovery to reporting the incident. The Protenus report authors note that some breach incidents are not publically disclosed for months, or in some cases, several years. “Examining incidents for which we know the date of the breach, date of discovery, and date the breach was reported, it’s clear that some healthcare organizations are doing better than others when it comes to proactively managing their patient data,” the report authors wrote.
Of the incidents reported in February for which Protenus has data, it took an average of 478 days from the time the breach occurred to when HHS was notified, the report notes. And this is a dramatic increase from the 174 average number of days that elapsed from breach to reporting for January breaches, according to the Protenus report.
“There were two instances in February in which it took organizations over five years (1,952 and 2,103 days, respectively) to discover that a health data breach had even occurred,” the report authors wrote. “The first incident should remind organizations that protocols need to be in place to ensure glitches with technology are caught and corrected in order to avoid vulnerabilities persisting for years before discovery. The second incident stresses the importance of organizations proactively monitoring their patient data for inappropriate accesses to their sensitive medical information.”
The report authors emphasized that the sooner a healthcare organization can detect when there has been inappropriate access to patient data, the sooner they can mitigate the risk of significant damage and greatly reduce the associated cost the organization will suffer in brand, reputation, lawsuits and fines.
“February’s health data breaches reinforce the importance of understanding inappropriate workforce activity, especially when the majority of incidents come from within a healthcare organization,” the Protenus report authors wrote. “It’s important for healthcare organizations to use advanced analytics to immediately detect breaches of this magnitude in real-time, greatly reducing the impact for patients and organizations alike.”
Looking at the types of entities reporting data breaches during the month of February, of the 31 reported incidents, there were 24 incidents reported by healthcare providers (77 percent of all reported entities), four incidents reported by health plans, two reported by third parties, and one incident reported by a business not covered by HIPAA, according to the Protenus analysis.
While third-party breaches constituted 82 percent of total patient records breached in January, there was a significant drop in February, affecting only 21 percent of patient records. Third-parties were responsible for seven breach incidents, with numbers available for six of these incidents, affecting 44,191 patient records.
