Report: 60 Percent of Healthcare Data Breaches in February Came From Within the Organizations | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: 60 Percent of Healthcare Data Breaches in February Came From Within the Organizations

March 20, 2017
by Heather Landi
| Reprints
Click To View Gallery

In February, hacking incidents only accounted for 12 percent of total healthcare data breach incidents, yet insiders were responsible for almost 60 percent of the total breach incidents during the month, which points to a troubling trend, according to the latest Protenus “Breach Barometer” report.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. This month’s analysis showed 31 breach incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources, which is the same number of incidents as reported in January.

While the number of incidents remained the same, February experienced a 47 percent drop in the number of affected patient records (206,151 vs. 388,207), according to Protenus. The largest single incident involved 100,000 patient records, and was the result of insider-error.

In previous months, healthcare saw hacking incidents that affected considerable amounts of patient data, usually totaling a bit more than a quarter of total incidents. In February, however, hacking resulted in only 12 percent of total breach incidents, or four incidents. For hacking incidents for which Protenus has numbers, these four incidents affected 44,144 patient records.

Insiders were responsible for 58 percent (18 incidents) of February’s total breach incidents, affecting 146,162 patient records. Protenus’ analysis found that eight of the eighteen insider incidents were the result of insider-wrongdoing, affecting 12,020 patient records.  Nine of the incidents were the result of insider-error, affecting 133,418 patient records. One insider incident, involving 724 records, could not be classified due to lack of provided information, Protenus reported.

The rise in the number of insider-related breach incidents point to a troubling trend in healthcare. According to Protenus’ November “breach barometer” report, in which there were 57 data breach incidents, 54 percent of the total breaches affecting patient data were a result of insiders, or 31 incidents.

In a year-end review of healthcare data breaches, Protenus researchers concluded that insiders are a very real risk to the security of patient data. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating. The healthcare industry should prepare for an increase in insider health data breaches until organizations further require additional training and utilize technology to detect inappropriate accesses to the medical record, further reducing their breach risk,” the report authors wrote.

Another troubling factor is how long it takes for healthcare organizations to discover a breach and the length of time from discovery to reporting the incident. The Protenus report authors note that some breach incidents are not publically disclosed for months, or in some cases, several years. “Examining incidents for which we know the date of the breach, date of discovery, and date the breach was reported, it’s clear that some healthcare organizations are doing better than others when it comes to proactively managing their patient data,” the report authors wrote.

Of the incidents reported in February for which Protenus has data, it took an average of 478 days from the time the breach occurred to when HHS was notified, the report notes. And this is a dramatic increase from the 174 average number of days that elapsed from breach to reporting for January breaches, according to the Protenus report.

“There were two instances in February in which it took organizations over five years (1,952 and 2,103 days, respectively) to discover that a health data breach had even occurred,” the report authors wrote. “The first incident should remind organizations that protocols need to be in place to ensure glitches with technology are caught and corrected in order to avoid vulnerabilities persisting for years before discovery. The second incident stresses the importance of organizations proactively monitoring their patient data for inappropriate accesses to their sensitive medical information.”

The report authors emphasized that the sooner a healthcare organization can detect when there has been inappropriate access to patient data, the sooner they can mitigate the risk of significant damage and greatly reduce the associated cost the organization will suffer in brand, reputation, lawsuits and fines.

“February’s health data breaches reinforce the importance of understanding inappropriate workforce activity, especially when the majority of incidents come from within a healthcare organization,” the Protenus report authors wrote. “It’s important for healthcare organizations to use advanced analytics to immediately detect breaches of this magnitude in real-time, greatly reducing the impact for patients and organizations alike.”

Looking at the types of entities reporting data breaches during the month of February, of the 31 reported incidents, there were 24 incidents reported by healthcare providers (77 percent of all reported entities), four incidents reported by health plans, two reported by third parties, and one incident reported by a business not covered by HIPAA, according to the Protenus analysis.

While third-party breaches constituted 82 percent of total patient records breached in January, there was a significant drop in February, affecting only 21 percent of patient records. Third-parties were responsible for seven breach incidents, with numbers available for six of these incidents, affecting 44,191 patient records.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.

Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.