Cybersecurity

Protenus: Improvement Seen in Reporting Data Breaches to HHS

May 23, 2017

Over the past few months, healthcare organizations are taking less time to report their data breaches to the U.S. Department of Health and Human Services (HHS).

Rajiv Leventhal

Over the past few months, healthcare organizations are taking less time to report their data breaches to the U.S. Department of Health and Human Services (HHS), which could be in response to the federal agency now fining organizations for not reporting health data breaches within the required 60-day window.

The findings were the latest from latest Protenus, which constructs a “Breach Barometer” report each month. Indeed, April is the second straight month in which there seems to be noticeable improvement in the time it takes for healthcare organizations to report their breaches to HHS.

Last month, 66 percent of entities reported their health data breach to HHS within the required 60-day window; previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in April for which there is data, it took an average of 51 days for healthcare organizations to discover a breach had occurred. It also took an additional average of 59 days from the time the breach was discovered to when it was reported to HHS.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

What’s more, the April report found that 2017 seems to be on a steady course when it comes to the number of breach incidents and number of patient records affected each month. March totals were significantly higher than April’s totals, mostly due to a single large breach incident in March. There were 34 separate breach incidents in April, affecting 232,060 patient records. The 39 incidents in March affected 1,519,521 patient records.

Meanwhile, insiders were responsible for 29 percent of April’s total breach incidents (10 incidents). Protenus has numbers for eight incidents, affecting 9,251 patient records. Five of the reported insider incidents were the result of insider-error, affecting 7,037 patient records, and four of the reported incidents were the result of insider-wrongdoing. The report’s authors noted, “While hacking receives significant press coverage, it’s the malicious bad actors that stem from inside healthcare organizations that can cause the most destruction. This is due to the simple fact that they often go undetected because they have legitimate access to patient data and aren’t the immediately obvious ‘red flag.’”

Once again, hacking accounted for a significant percentage of records and incidents (16 incidents accounted for 47 percent of the total breaches). For the reported hacking incidents for which there are numbers, 171,268 patient records were affected. There were five incidents in which ransomware was specifically mentioned as the cause of the health data breach, though the authors noted that other breaches might have included ransomware too, but reports for those were unclear.

The report mentioned that in early April, one of the worst cybersecurity incidents of the year occurred in which patient data was stolen from a behavioral health center in Maine and sold to an unknown third party. This incident did not get major national attention many others do, and as the report stated, “It seems that in 2017 the threat has elevated for breaches of this caliber, and entities now have to worry about their patient data being listed for sale on the Dark Web before they even know a breach has occurred. In 2016, hackers like TheDarkOverlord were giving entities a heads up that their data would be sold if demands were not met. This year, we’ve seen data for sale before any warning or alerts were given to the entity.”