Skip to content Skip to navigation

8.8 Million Patient Records Breached in August

September 8, 2016
by Heather Landi
| Reprints
Click To View Gallery

Nearly 20 million patients have been affected by personal health information breaches this summer, with 8.8 million records breached in August alone, according to The Protenus Breach Barometer.

The August breach reporting follows an unheard of 11 million patient records breached in the month of June. The Protenus Healthcare Breach Barometer is a monthly snapshot of reported or disclosed breaches involving protected health information or medical/health information and is created in conjunction with DataBreaches.net.

As previously reported by Healthcare Informatics, following the staggering number of patient record breach reports in June, July’s total number of records breached—126,930—was back down to April’s levels.

In August, there were 44 reports stemming from 42 separate incidents either reported to the U.S. Department of Health and Human Services (HHS) or first disclosed in the media or other sources. Those 42 incidents are the highest number of monthly incidents reported so far this year.

The number of patients affected was available for 32 of those 44 August reports, totaling 8,804,608 records breached, according to the August Breach Barometer analysis.

August also saw two important developments related to the HHS Office of Civil Rights, the entity responsible for enforcing HIPAA’s (Health Insurance Portability and Accountability Act) Privacy Rule. This summer saw a number of large settlements with HHS due to potential HIPAA violations. In the latest settlement to date, Advocate Health Care Network agreed to pay $5.5 million to settle HHS charges stemming from multiple health data breaches. In addition, Oregon Health and Science University (OHSU) agreed to pay $2.7 million to settle investigations into two data breaches in 2013, and the University of Mississippi will pay $2.75 million for its settlement with HHS. Together, these settlements exceed $10 million.

And, also this summer, OCR announced an initiative to increase its investigations on smaller health data breaches, or breaches affecting fewer than 500 individuals. According to OCR, each of the agency’s regional offices will “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

For the 42 health data breach incidents in August, 43 percent were insider threats, including both accidental and intentional wrongdoing, while 29 percent of incidents involved hacking, malware or ransomware. While hacking accounted for fewer incidents than insider events, the hacking incidents accounted for 91 percent of records breached in August. The other types of incidents include loss/theft (12 percent) and unknown (17 percent).

The largest breach in August involved 3.6 million patient records. In that incident, Newkirk Products, a company that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing plan members’ personal information. Unlike June when the majority of breached health records were the work of the hackers known as “TheDarkOverLord,” the hacking incidents reported in August were not linked to single source.

Of the entities reporting data breaches in August, 86 percent were healthcare providers and close to 5 percent were health plans and another 5 percent were reported by business associates/vendors.

Data security incidents involving business associates or vendors continues to be a concern. Business associates were involved in 19 percent of breaches in August, yet those incidents accounted for 47 percent of all breached records for the month.

One troubling fact is that one breach reported in August began in 2008, taking more than eight years to be publicly reported. However, many healthcare organizations appear to be responding promptly once a breach occurs. The August breach barometer analysis found that five entities—Autism Home Support Services, Outer Banks Hospital, Professional Dermatology, Orleans Medical Clinic and Banner Health—discovered a breach within 20 days of the breach occurring.

Furthermore, a handful of entities also responded quickly once a breach was discovered based on the breach reports.

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Califf to Lead Patient-Centered Research Foundation

Robert Califf, M.D., who stepped down as commissioner of the U.S. Food and Drug Administration in January, has been named chair of a new nonprofit organization, the People-Centered Research Foundation.

U.S. Lags on Adoption of Telehealth, According to Survey of Physicians

Only 4 percent of U.S.-based physicians think that their state has done “very well” implementing telehealth technologies and only 15 percent responded “well” when evaluating their state’s efforts to implement telehealth, according to a survey by Sermo.

CDC Survey: Cardiologists, Neurologists Have Highest EHR Adoption Rates

According to the Center for Disease Control and Prevention’s (CDC) National Electronic Health Records Survey, office-based cardiologists and neurologists have the highest electronic health record (EHR) adoption rates by specialty, at 95.6 percent and 94.5 percent, respectively.

UPMC Rolls out Telemedicine App for Pennsylvania Patients with 24/7 Service

UPMC (University of Pittsburgh Medical Center) Health Plan recently launched a new smartphone-enabled UPMC AnywhereCare platform that allows patients to receive remote care from emergency room professionals 24 hours a day and with reduced copays.

AHRQ Seeking Data on Use of Telehealth for Acute and Chronic Care Consultations

The Agency for Healthcare Research and Quality (AHRQ) is calling for public data on projects that have examined the value of telehealth for acute and chronic care.

Precision Cancer Medicine Building at UCSF Mission Bay Gets Approved

The UCSF (University of California San Francisco) Medical Center at Mission Bay’s Precision Cancer Medicine Building (PCMB) was approved by the University of California Board of Regents, and is on track to open in 2019.