November saw an acceleration in the growing trend of health data breaches with 57 separate breach incidents, or an average of almost two per day, the highest in 2016, according to the latest Protenus Breach Barometer report.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. This month’s analysis showed 35 incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources.
“With an average of almost 2 breaches per day, November has seen a record number of breach incidents, the highest of any month in 2016. What’s even more concerning is that employees (insiders) are responsible for more than half of this month’s breaches to patient data, a notable increase from past months,” the report authors wrote.
The report authors note that the November breach incident data reinforces the need for health data security to be a top priority for healthcare organizations.
The past two months had shown a decline in total patient records breached and number of incidents reported when compared to the summer months. However, November has seen a sharp increase in the number of breach incidents, with 60 percent more breaches than in October. Up until November, the highest number of monthly breach incidents occurred in August with 42 incidents. For comparison, June had 28 separate breach incidents, July had 39 and then after the 42 incidents in August, the number of incidents began to decline with 37 in September and 35 in October.
The Protenus Breach Barometer’s November analysis indicates 57 incidents either reported to HHS or first disclosed in media or other sources. Information was available for 49 of these incidents, totaling 458,639 records breached. The report also notes that it is not clear if one of the entities only reported themselves to HHS or if they also reported their affiliated clinic.
Of the November breach incidents, 54.4 percent, or 31 incidents, were the result of insiders. The largest single incident involved 170,000 patient records as a result of a business associate’s insider error. Further, 17 of these incidents were a result of an error or accident, while 14 were a result of insider wrongdoing. In the 12 insider-error incidents for which Protenus has numbers, 264,099 patient records were involved. In the nine incidents caused by insider-wrongdoing, 17,237 patient records were involved.
“Nine breach incidents to patient data were a result of hacking, down from 14 hacking incidents in October. Three of November’s incidents specifically mentioned ransomware and another incident mentioned ransom/extortion but not ransomware. TheDarkOverLord struck again, as he was responsible for the ransom/extortion demand. In the six hacking incidents for which we have numbers, 102,883 patient records were involved,” the report authors wrote.
Further, of the 57 reported incidents in November, 40 incidents involved healthcare providers (70 percent of reported entities), followed by 11 incidents involving health plans, and three incidents involving business associates. There were three other entities that reported a data breach: a financial services firm, an anti-doping agency, and one other business.
At least 25 of the 57 incidents (44 percent) involved business associates or third parties, and 11 different BAs or vendors were involved in these 25 breach incidents. The report also notes that paper records were involved in two incidents.
According to the report’s November analysis, it took an average of 135 days from the time the breach occurred to when HHS is notified, which is significantly longer than the average number days it took from breach to reporting for incidents in October.
“It’s important to note that HHS requires entities to report their breach within 60 days of discovery. Sixty-five percent of reporting entities for which we have numbers took longer than the 60-day window to report their breach. It goes without saying that it is essential for organizations to be proactive when monitoring patient data. The sooner a breach is detected, the quicker the healthcare organization can mitigate the risk of significant damage being done with their patient’s data. The longer PHI is exposed, the more it can cost the healthcare organization and ultimately become troublesome for the patients,” the report authors wrote.