July is the first month in 2017 to have healthcare cybersecurity hacking incidents outweigh insider breaches to patient data in both frequency and number of affected patient records, according to the latest report from Protenus.
While hacking accounted for almost half of total breach incidents this month, the severity and potential damage of insider threats to patient data should not be overlooked, with one incident going undetected for 14 years. The findings were the latest from latest Protenus, which constructs a “Breach Barometer” report each month. The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Overall in July, there were 36 breach incidents first disclosed this month to the Department of Health and Human Services (HHS), the media, or a state’s Attorney General. For the 29 incidents for which Protenus had numbers, 575,142 patient records were affected. The largest single incident for which they had numbers involved 300,000 patient records in a ransomware incident. In June, Protenus recorded 52 such incidents—the most of any month in 2017.
In an unusual turn of events, according to Protenus experts, hacking outweighed insider incidents in both frequency and the number of patient records affected this month. In July, there were 17 hacking incidents, affecting 516,053 patient records, almost 21 times more patient records than breached by insiders. There were 10 hacking incidents in which ransomware was specifically mentioned as the cause of the health data breach.
Meanwhile, insiders were responsible for 22 percent of May’s total breach incidents (eight total incidents). There are numbers for seven insider incidents, affecting 24,212 patient records. Three of the reported insider incidents were the result of insider-error.
Also of note in the July report, of the reported incidents for which there are numbers, it took an average of 503 days (median = 79.5 days) for healthcare organizations to discover a breach had occurred. It’s important to note that the mean and median are drastically different given the extreme range of the data, noted the Protenus report: some entities discovered a breach immediately, while one incident went undiscovered for 14, a result of insider wrong-doing. This is by far the longest undetected breach that has been included in any of the Breach Barometer reports.
“The longevity of this type of insider breach of patient data is extremely worrisome. This breach affected 1,100 patient records and went completely unnoticed until someone called in a complaint. This is a prime example of why healthcare needs to be much more proactive in detecting inappropriate access to patient information. This organization will now face a multitude of costs associated with a breach, an unfortunate event that can now serve as a learning experience for the rest of the industry,” the report’s authors wrote. It also took an average of 67.5 days (median = 60 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or the state’s Attorney General, the report revealed.
