8.8 Million Patient Records Breached in August | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

8.8 Million Patient Records Breached in August

September 8, 2016
by Heather Landi
| Reprints
Click To View Gallery

Nearly 20 million patients have been affected by personal health information breaches this summer, with 8.8 million records breached in August alone, according to The Protenus Breach Barometer.

The August breach reporting follows an unheard of 11 million patient records breached in the month of June. The Protenus Healthcare Breach Barometer is a monthly snapshot of reported or disclosed breaches involving protected health information or medical/health information and is created in conjunction with DataBreaches.net.

As previously reported by Healthcare Informatics, following the staggering number of patient record breach reports in June, July’s total number of records breached—126,930—was back down to April’s levels.

In August, there were 44 reports stemming from 42 separate incidents either reported to the U.S. Department of Health and Human Services (HHS) or first disclosed in the media or other sources. Those 42 incidents are the highest number of monthly incidents reported so far this year.

The number of patients affected was available for 32 of those 44 August reports, totaling 8,804,608 records breached, according to the August Breach Barometer analysis.

August also saw two important developments related to the HHS Office of Civil Rights, the entity responsible for enforcing HIPAA’s (Health Insurance Portability and Accountability Act) Privacy Rule. This summer saw a number of large settlements with HHS due to potential HIPAA violations. In the latest settlement to date, Advocate Health Care Network agreed to pay $5.5 million to settle HHS charges stemming from multiple health data breaches. In addition, Oregon Health and Science University (OHSU) agreed to pay $2.7 million to settle investigations into two data breaches in 2013, and the University of Mississippi will pay $2.75 million for its settlement with HHS. Together, these settlements exceed $10 million.

And, also this summer, OCR announced an initiative to increase its investigations on smaller health data breaches, or breaches affecting fewer than 500 individuals. According to OCR, each of the agency’s regional offices will “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”

For the 42 health data breach incidents in August, 43 percent were insider threats, including both accidental and intentional wrongdoing, while 29 percent of incidents involved hacking, malware or ransomware. While hacking accounted for fewer incidents than insider events, the hacking incidents accounted for 91 percent of records breached in August. The other types of incidents include loss/theft (12 percent) and unknown (17 percent).

The largest breach in August involved 3.6 million patient records. In that incident, Newkirk Products, a company that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing plan members’ personal information. Unlike June when the majority of breached health records were the work of the hackers known as “TheDarkOverLord,” the hacking incidents reported in August were not linked to single source.

Of the entities reporting data breaches in August, 86 percent were healthcare providers and close to 5 percent were health plans and another 5 percent were reported by business associates/vendors.

Data security incidents involving business associates or vendors continues to be a concern. Business associates were involved in 19 percent of breaches in August, yet those incidents accounted for 47 percent of all breached records for the month.

One troubling fact is that one breach reported in August began in 2008, taking more than eight years to be publicly reported. However, many healthcare organizations appear to be responding promptly once a breach occurs. The August breach barometer analysis found that five entities—Autism Home Support Services, Outer Banks Hospital, Professional Dermatology, Orleans Medical Clinic and Banner Health—discovered a breach within 20 days of the breach occurring.

Furthermore, a handful of entities also responded quickly once a breach was discovered based on the breach reports.

 

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

HIMSS Names Hal Wolf as New President and CEO

The Chicago-based Healthcare Information and Management Systems Society (HIMSS) has named Harold “Hal” Wolf III as its new president and CEO, to succeed H. Stephen Lieber.

ONC Seeking Feedback on Common Agreement and Exchange Framework

On Monday, the Office of the National Coordinator for Health Information Technology (ONC) kicked off the first of three meetings and webinars to inform the public about the department’s work related to the implementation of the 21st Century Cures Act trusted exchange framework and common agreement provisions.

NIH Announces First Community Partners for All of Us Research Effort

The National Institutes of Health (NIH) announced its first four community partner awards to begin building a national network of recruiters for its All of Us Research Program, part of the Precision Medicine Initiative.

Survey: Clinicians Rate Biometric Devices as Most Effective Patient Engagement Tech

There are many technologies for engaging patients in their own care, but according to a survey of members of the NEJM Catalyst Insights Council, patient portals are not viewed as the most effective technology for patient engagement initiatives.

Pragmatic Clinical Trials Network to Focus on Genomic Medicine Interventions

The federal National Human Genome Research Institute has announced a five-year effort to conduct pragmatic clinical trials to measure the clinical utility and cost-effectiveness of genomic medicine interventions and assess approaches for real-world application of genomic medicine in diverse clinical settings.

Six State HIEs Now Participating in Patient Center Data Home Across the West

An HIE-to-HIE hub, known as the Patient Centered Data Home and spearheaded by SHIEC, is expanding across the West, with six states now connected and exchanging admission, discharge and transfer notifications for patients.