8.8 Million Patient Records Breached in August | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

8.8 Million Patient Records Breached in August

September 8, 2016
by Heather Landi
| Reprints
Click To View Gallery

Nearly 20 million patients have been affected by personal health information breaches this summer, with 8.8 million records breached in August alone, according to The Protenus Breach Barometer.

The August breach reporting follows an unheard of 11 million patient records breached in the month of June. The Protenus Healthcare Breach Barometer is a monthly snapshot of reported or disclosed breaches involving protected health information or medical/health information and is created in conjunction with DataBreaches.net.

As previously reported by Healthcare Informatics, following the staggering number of patient record breach reports in June, July’s total number of records breached—126,930—was back down to April’s levels.

In August, there were 44 reports stemming from 42 separate incidents either reported to the U.S. Department of Health and Human Services (HHS) or first disclosed in the media or other sources. Those 42 incidents are the highest number of monthly incidents reported so far this year.

The number of patients affected was available for 32 of those 44 August reports, totaling 8,804,608 records breached, according to the August Breach Barometer analysis.

August also saw two important developments related to the HHS Office of Civil Rights, the entity responsible for enforcing HIPAA’s (Health Insurance Portability and Accountability Act) Privacy Rule. This summer saw a number of large settlements with HHS due to potential HIPAA violations. In the latest settlement to date, Advocate Health Care Network agreed to pay $5.5 million to settle HHS charges stemming from multiple health data breaches. In addition, Oregon Health and Science University (OHSU) agreed to pay $2.7 million to settle investigations into two data breaches in 2013, and the University of Mississippi will pay $2.75 million for its settlement with HHS. Together, these settlements exceed $10 million.

And, also this summer, OCR announced an initiative to increase its investigations on smaller health data breaches, or breaches affecting fewer than 500 individuals. According to OCR, each of the agency’s regional offices will “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

For the 42 health data breach incidents in August, 43 percent were insider threats, including both accidental and intentional wrongdoing, while 29 percent of incidents involved hacking, malware or ransomware. While hacking accounted for fewer incidents than insider events, the hacking incidents accounted for 91 percent of records breached in August. The other types of incidents include loss/theft (12 percent) and unknown (17 percent).

The largest breach in August involved 3.6 million patient records. In that incident, Newkirk Products, a company that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing plan members’ personal information. Unlike June when the majority of breached health records were the work of the hackers known as “TheDarkOverLord,” the hacking incidents reported in August were not linked to single source.

Of the entities reporting data breaches in August, 86 percent were healthcare providers and close to 5 percent were health plans and another 5 percent were reported by business associates/vendors.

Data security incidents involving business associates or vendors continues to be a concern. Business associates were involved in 19 percent of breaches in August, yet those incidents accounted for 47 percent of all breached records for the month.

One troubling fact is that one breach reported in August began in 2008, taking more than eight years to be publicly reported. However, many healthcare organizations appear to be responding promptly once a breach occurs. The August breach barometer analysis found that five entities—Autism Home Support Services, Outer Banks Hospital, Professional Dermatology, Orleans Medical Clinic and Banner Health—discovered a breach within 20 days of the breach occurring.

Furthermore, a handful of entities also responded quickly once a breach was discovered based on the breach reports.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Survey: Infrastructure, Interoperability Key Barriers to Global HIT Development

A new survey report from Black Book Research on global healthcare IT adoption and records systems connectivity finds nations in various phases of regional electronic health record (EHR) adoption. The survey results also reveal rapidly advancing opportunities for U.S.-based and local technology vendors.

Penn Medicine Opens Up Telehealth Hub

Philadelphia-based Penn Medicine has opened its Center for Connected Care to centralize the health system’s telemedicine activities.

Roche to Pay $1.9B for Flatiron Health

Switzerland-based pharmaceutical company Roche has agreed to pay $1.9 billion to buy New York-based Flatiron Health Inc., which has both an oncology EHR and data analytics platform.

Financial Exec Survey: Interoperability Key Obstacle to Value-Based Payment Models

Momentum continues to grow for value-based care as nearly three-quarters of healthcare executives report their organizations have achieved positive financial results from value-based payment programs, to date, according to a new study from the Healthcare Financial Management Association (HFMA).

Cerner, Children's National to Help UAE Pediatric Center with Health IT

Al Jalila Children's Specialty Hospital, the only pediatric hospital in the United Arab Emirates, has entered into an agreement with Washington, D.C.-based Children's National Health System to form a health IT strategic partnership.

Telemedicine Association Names New CEO

The American Telemedicine Association (ATA) has named Ann Mond Johnson its new CEO, replacing Jon Linkous who stepped down suddenly last August after 24 years as the organization’s CEO.