Report: 60 Percent of Healthcare Data Breaches in February Came From Within the Organizations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: 60 Percent of Healthcare Data Breaches in February Came From Within the Organizations

March 20, 2017
by Heather Landi
| Reprints
Click To View Gallery

In February, hacking incidents only accounted for 12 percent of total healthcare data breach incidents, yet insiders were responsible for almost 60 percent of the total breach incidents during the month, which points to a troubling trend, according to the latest Protenus “Breach Barometer” report.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. This month’s analysis showed 31 breach incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources, which is the same number of incidents as reported in January.

While the number of incidents remained the same, February experienced a 47 percent drop in the number of affected patient records (206,151 vs. 388,207), according to Protenus. The largest single incident involved 100,000 patient records, and was the result of insider-error.

In previous months, healthcare saw hacking incidents that affected considerable amounts of patient data, usually totaling a bit more than a quarter of total incidents. In February, however, hacking resulted in only 12 percent of total breach incidents, or four incidents. For hacking incidents for which Protenus has numbers, these four incidents affected 44,144 patient records.

Insiders were responsible for 58 percent (18 incidents) of February’s total breach incidents, affecting 146,162 patient records. Protenus’ analysis found that eight of the eighteen insider incidents were the result of insider-wrongdoing, affecting 12,020 patient records.  Nine of the incidents were the result of insider-error, affecting 133,418 patient records. One insider incident, involving 724 records, could not be classified due to lack of provided information, Protenus reported.

The rise in the number of insider-related breach incidents point to a troubling trend in healthcare. According to Protenus’ November “breach barometer” report, in which there were 57 data breach incidents, 54 percent of the total breaches affecting patient data were a result of insiders, or 31 incidents.

In a year-end review of healthcare data breaches, Protenus researchers concluded that insiders are a very real risk to the security of patient data. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating. The healthcare industry should prepare for an increase in insider health data breaches until organizations further require additional training and utilize technology to detect inappropriate accesses to the medical record, further reducing their breach risk,” the report authors wrote.

Another troubling factor is how long it takes for healthcare organizations to discover a breach and the length of time from discovery to reporting the incident. The Protenus report authors note that some breach incidents are not publically disclosed for months, or in some cases, several years. “Examining incidents for which we know the date of the breach, date of discovery, and date the breach was reported, it’s clear that some healthcare organizations are doing better than others when it comes to proactively managing their patient data,” the report authors wrote.

Of the incidents reported in February for which Protenus has data, it took an average of 478 days from the time the breach occurred to when HHS was notified, the report notes. And this is a dramatic increase from the 174 average number of days that elapsed from breach to reporting for January breaches, according to the Protenus report.

“There were two instances in February in which it took organizations over five years (1,952 and 2,103 days, respectively) to discover that a health data breach had even occurred,” the report authors wrote. “The first incident should remind organizations that protocols need to be in place to ensure glitches with technology are caught and corrected in order to avoid vulnerabilities persisting for years before discovery. The second incident stresses the importance of organizations proactively monitoring their patient data for inappropriate accesses to their sensitive medical information.”

The report authors emphasized that the sooner a healthcare organization can detect when there has been inappropriate access to patient data, the sooner they can mitigate the risk of significant damage and greatly reduce the associated cost the organization will suffer in brand, reputation, lawsuits and fines.

“February’s health data breaches reinforce the importance of understanding inappropriate workforce activity, especially when the majority of incidents come from within a healthcare organization,” the Protenus report authors wrote. “It’s important for healthcare organizations to use advanced analytics to immediately detect breaches of this magnitude in real-time, greatly reducing the impact for patients and organizations alike.”

Looking at the types of entities reporting data breaches during the month of February, of the 31 reported incidents, there were 24 incidents reported by healthcare providers (77 percent of all reported entities), four incidents reported by health plans, two reported by third parties, and one incident reported by a business not covered by HIPAA, according to the Protenus analysis.

While third-party breaches constituted 82 percent of total patient records breached in January, there was a significant drop in February, affecting only 21 percent of patient records. Third-parties were responsible for seven breach incidents, with numbers available for six of these incidents, affecting 44,191 patient records.

 

Get the latest information on Staffing and Professional Development and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

HIMSS Names Hal Wolf as New President and CEO

The Chicago-based Healthcare Information and Management Systems Society (HIMSS) has named Harold “Hal” Wolf III as its new president and CEO, to succeed H. Stephen Lieber.

ONC Seeking Feedback on Common Agreement and Exchange Framework

On Monday, the Office of the National Coordinator for Health Information Technology (ONC) kicked off the first of three meetings and webinars to inform the public about the department’s work related to the implementation of the 21st Century Cures Act trusted exchange framework and common agreement provisions.

NIH Announces First Community Partners for All of Us Research Effort

The National Institutes of Health (NIH) announced its first four community partner awards to begin building a national network of recruiters for its All of Us Research Program, part of the Precision Medicine Initiative.

Survey: Clinicians Rate Biometric Devices as Most Effective Patient Engagement Tech

There are many technologies for engaging patients in their own care, but according to a survey of members of the NEJM Catalyst Insights Council, patient portals are not viewed as the most effective technology for patient engagement initiatives.

Pragmatic Clinical Trials Network to Focus on Genomic Medicine Interventions

The federal National Human Genome Research Institute has announced a five-year effort to conduct pragmatic clinical trials to measure the clinical utility and cost-effectiveness of genomic medicine interventions and assess approaches for real-world application of genomic medicine in diverse clinical settings.

Six State HIEs Now Participating in Patient Center Data Home Across the West

An HIE-to-HIE hub, known as the Patient Centered Data Home and spearheaded by SHIEC, is expanding across the West, with six states now connected and exchanging admission, discharge and transfer notifications for patients.