Nearly 130K Records Breached in July with TheDarkOverLord as Main Culprit | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Nearly 130K Records Breached in July with TheDarkOverLord as Main Culprit

August 11, 2016
by Rajiv Leventhal
| Reprints
Twenty-eight percent of breaches in the month involved hacking or ransomware; some go unreported for years
Click To View Gallery

A total of 39 incidents and 126,930 records breached in the U.S. involving protected health information or medical/health information were either disclosed or reported in July, according to The Protenus Breach Barometer.

The Protenus automated patient privacy monitoring platform analyzes user behavior to detect and resolve Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. It’s a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

After an unheard of 11 million patient records were breached in June, July's number of total records breached is back down to April’s levels (though nearly half of U.S. states had at least one healthcare data breach incident this month). The growing impact, costs and rate of breaches illustrates how vulnerable the healthcare industry remains. In July, Oregon Health and Science University and The University of Mississippi Medical Center paid fines of $2.7 million and $2.75 million, respectively, to the HHS Office of Civil Rights (OCR) for HIPAA breaches and alleged violations.

What’s more, the largest single breach of 23,565 was, once again, the work of the hackers known as “TheDarkOverLord.”  Forty-six percent (18 incidents) of breaches in July were insider incidents, including both accidental and intentional wrongdoings. Twenty-eight percent (11 incidents) of breaches involved hacking or ransomware, including the two databases put up for sale by the TheDarkOverLord on the dark web. 

Interestingly, paper records were involved in nearly 25 percent of incidents, with some records just carelessly left behind or lost. Business associates or vendors continue to be a source of concern and accounted for 24 percent (9 incidents), according to the findings. Eighty-seven percent of breaches were healthcare providers (34 incidents), followed by 8 percent breaches of health plans (3 incidents), 2.5 percent involving a business associate or vendor (1 incident), and 2.5 percent from a U.S Army prison hospital (1 incident).

Furthermore, the average time lapse between when a breach occurred and when the breach was reported is just over two years (25.5 months) for the 16 breaches in July where the exact time interval is known. This interval data confirms that breaches often go on for months or years before they are publically reported. The longest time elapsed from breach to report was over six years. Six organizations reported within three months.  

Not even halfway through the month, August has already seen a few major data breaches in the industry. Last week, Phoenix-based Banner Health, one of the largest healthcare systems in the U.S., announced that it is notifying approximately 3.7 million individuals about a breach in which cyber attackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations. And on August 5, Albany, New York-based Newkirk Products, a BlueCross BlueShield business associate that issues healthcare ID cards for health insurance plans, reported a cyber security incident involving unauthorized access to a server containing approximately 3.3 million plan members’ personal information.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.

Sequoia Project Exec Appointed to HITAC’s Interoperability Task Force

The Sequoia Project’s CIO/CTO, Eric Heflin, has been appointed to the Health Information Technology Advisory Committee’s (HITAC) U.S. Core Data for Interoperability Task Force (USCDI).

Healthcare Orgs Report Improvements in Quality, Cost Using Data and Analytics

In 2017, nearly three dozen organizations ranging in size from small community hospitals to some of the nation’s largest integrated delivery systems documented 125 improvements in quality, cost and efficiency using technology and improvement processes.

Consortium to Promote Implementation of a FHIR Genomics Platform

At this week’s HL7 Genomics Conference in Washington, D.C., a new group was introduced to promote implementation of a FHIR Genomics platform.

Cedars-Sinai Collaborates on Organs-on-Chip Precision Medicine Project

Scientists at Los Angeles-based Cedars-Sinai, in partnership with biotechnology startup Emulate, are pioneering a Patient-on-a-Chip program to help predict which disease treatments would be most effective based on a patient's genetic makeup and disease variant.