A total of 39 incidents and 126,930 records breached in the U.S. involving protected health information or medical/health information were either disclosed or reported in July, according to The Protenus Breach Barometer.
The Protenus automated patient privacy monitoring platform analyzes user behavior to detect and resolve Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. It’s a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
After an unheard of 11 million patient records were breached in June, July's number of total records breached is back down to April’s levels (though nearly half of U.S. states had at least one healthcare data breach incident this month). The growing impact, costs and rate of breaches illustrates how vulnerable the healthcare industry remains. In July, Oregon Health and Science University and The University of Mississippi Medical Center paid fines of $2.7 million and $2.75 million, respectively, to the HHS Office of Civil Rights (OCR) for HIPAA breaches and alleged violations.
What’s more, the largest single breach of 23,565 was, once again, the work of the hackers known as “TheDarkOverLord.” Forty-six percent (18 incidents) of breaches in July were insider incidents, including both accidental and intentional wrongdoings. Twenty-eight percent (11 incidents) of breaches involved hacking or ransomware, including the two databases put up for sale by the TheDarkOverLord on the dark web.
Interestingly, paper records were involved in nearly 25 percent of incidents, with some records just carelessly left behind or lost. Business associates or vendors continue to be a source of concern and accounted for 24 percent (9 incidents), according to the findings. Eighty-seven percent of breaches were healthcare providers (34 incidents), followed by 8 percent breaches of health plans (3 incidents), 2.5 percent involving a business associate or vendor (1 incident), and 2.5 percent from a U.S Army prison hospital (1 incident).
Furthermore, the average time lapse between when a breach occurred and when the breach was reported is just over two years (25.5 months) for the 16 breaches in July where the exact time interval is known. This interval data confirms that breaches often go on for months or years before they are publically reported. The longest time elapsed from breach to report was over six years. Six organizations reported within three months.
Not even halfway through the month, August has already seen a few major data breaches in the industry. Last week, Phoenix-based Banner Health, one of the largest healthcare systems in the U.S., announced that it is notifying approximately 3.7 million individuals about a breach in which cyber attackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations. And on August 5, Albany, New York-based Newkirk Products, a BlueCross BlueShield business associate that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing approximately 3.3 million plan members’ personal information.