Nearly 20 million patients have been affected by personal health information breaches this summer, with 8.8 million records breached in August alone, according to The Protenus Breach Barometer.
The August breach reporting follows an unheard of 11 million patient records breached in the month of June. The Protenus Healthcare Breach Barometer is a monthly snapshot of reported or disclosed breaches involving protected health information or medical/health information and is created in conjunction with DataBreaches.net.
As previously reported by Healthcare Informatics, following the staggering number of patient record breach reports in June, July’s total number of records breached—126,930—was back down to April’s levels.
In August, there were 44 reports stemming from 42 separate incidents either reported to the U.S. Department of Health and Human Services (HHS) or first disclosed in the media or other sources. Those 42 incidents are the highest number of monthly incidents reported so far this year.
The number of patients affected was available for 32 of those 44 August reports, totaling 8,804,608 records breached, according to the August Breach Barometer analysis.
August also saw two important developments related to the HHS Office of Civil Rights, the entity responsible for enforcing HIPAA’s (Health Insurance Portability and Accountability Act) Privacy Rule. This summer saw a number of large settlements with HHS due to potential HIPAA violations. In the latest settlement to date, Advocate Health Care Network agreed to pay $5.5 million to settle HHS charges stemming from multiple health data breaches. In addition, Oregon Health and Science University (OHSU) agreed to pay $2.7 million to settle investigations into two data breaches in 2013, and the University of Mississippi will pay $2.75 million for its settlement with HHS. Together, these settlements exceed $10 million.
And, also this summer, OCR announced an initiative to increase its investigations on smaller health data breaches, or breaches affecting fewer than 500 individuals. According to OCR, each of the agency’s regional offices will “increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.”
For the 42 health data breach incidents in August, 43 percent were insider threats, including both accidental and intentional wrongdoing, while 29 percent of incidents involved hacking, malware or ransomware. While hacking accounted for fewer incidents than insider events, the hacking incidents accounted for 91 percent of records breached in August. The other types of incidents include loss/theft (12 percent) and unknown (17 percent).
The largest breach in August involved 3.6 million patient records. In that incident, Newkirk Products, a company that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing plan members’ personal information. Unlike June when the majority of breached health records were the work of the hackers known as “TheDarkOverLord,” the hacking incidents reported in August were not linked to single source.
Of the entities reporting data breaches in August, 86 percent were healthcare providers and close to 5 percent were health plans and another 5 percent were reported by business associates/vendors.
Data security incidents involving business associates or vendors continues to be a concern. Business associates were involved in 19 percent of breaches in August, yet those incidents accounted for 47 percent of all breached records for the month.
One troubling fact is that one breach reported in August began in 2008, taking more than eight years to be publicly reported. However, many healthcare organizations appear to be responding promptly once a breach occurs. The August breach barometer analysis found that five entities—Autism Home Support Services, Outer Banks Hospital, Professional Dermatology, Orleans Medical Clinic and Banner Health—discovered a breach within 20 days of the breach occurring.
Furthermore, a handful of entities also responded quickly once a breach was discovered based on the breach reports.