November Breach Report: 28 Incidents, 84K Patient Records Affected
The month of November was witness to 28 healthcare data breach incidents and nearly 84,000 patient records impacted, according to the latest report from cybersecurity software company Protenus.
Since the beginning of 2017, there has been a consistent trend of at least one healthcare data breach per day; however, November saw this average dip ever so slightly with a total of 28 incidents. Information was available for 25 of those incidents, which affected a total of 83,925 patient records, according to Protenus, which tracks disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net
The number of both data breach incidents and affected patient records are lower than any other month thus far in 2017, “but it may also just indicate that people wanted to get ready for Thanksgiving so they delayed reporting,” according to the Protenus monthly snapshot blog. That said, the number of affected records disclosed during November was significantly lower than the rest of the year. To compare, in the month of October, 246,246 records were affected by a data breach; in September, 499,144 were affected, and in August, 673,934 were affected.
The single largest incident in November for which there is data involved a sleep and pulmonary center in New Jersey who reported that 16,474 patient records were locked up by a ransomware attack. The organization did not pay the ransom and simply restored the files using an offline backup.
Regarding cybersecurity breach trends in November, since July 2017, hacking incidents have consistently outnumbered insider incidents, but the month of November reverses this trend. However, a significant percentage of affected records (44 percent) were due to hacking incidents, and this number would have been even higher, but some data was unavailable for some of the incidents this month, Protenus insiders noted. Of the hacking incidents that were tracked, five breaches affected 36,804 patient records, meaning each incident involved a large number of records impacted. Also of note, there were seven health data breaches that involved paper or film patient records, affecting 8,859 patients.
Meanwhile, there were nine incidents that involved insiders during the month of November, accounting for 32 percent of the total number of data breaches. While insider and hacking breaches accounted for the majority of disclosed incidents, five incidents involved physical theft of patient records, affecting 3,273 records, and two incidents involved lost or missing records, affecting 2,051 records. Loss and theft of patient records accounted for 25 percent of all November health data breaches, according to the report.
What’s more, of the 28 reported health data breach incidents for November, 23 of them involved healthcare providers, three involved health plans, one involved a business associate, and one involved a business which was included in the “other” category of the analysis. The affected business was a law firm that suffered a ransomware attack which affected 16 records.
For the health data breaches that occurred in November, Protenus has data on how long it took to discover and report those breaches for just four of them. On average, it took healthcare organizations 55 days (median= 33 days) to discover that their healthcare organization had been hit with a breach incident.
The longest incident of the month took 153 days from the time the breach occurred to when it was discovered. While these numbers are lower than what has been reported in previous months, the small sample size precludes any comparisons to previous months, according to Protenus insiders.