Report: Data Breach Incidents in March Affected 1.5 Million Patient Records | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Data Breach Incidents in March Affected 1.5 Million Patient Records

April 14, 2017
by Heather Landi
| Reprints
Click To View Gallery

There was a sharp spike in the number of breached patient records as the result of data breach incidents in March, with this month seeing 2.5 times the number of breached records in January and February combined, according to the latest Protenus “Breach Barometer” report.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. This month’s analysis showed 31 breach incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources, which is the same number of incidents as reported in January.

This report comes on the heels of another cybersecurity study that found that academic medical centers are more likely to experience data breaches than other health systems. A study, published online by JAMA Internal Medicine, and led by a researcher at the Johns Hopkins Carey Business School, found that the risk of data breaches at U.S. hospitals is greater at larger facilities and hospitals that have a major teaching mission. For that study, researchers examined the federal Department of Health and Human Services' statistics on data breaches reported by various health care providers from late 2009 through 2016. They found that 216 hospitals reported a total of 257 breaches during that period, and that 33 of those hospitals—15 percent—were breached at least twice. The researchers also looked at hospitals that reported no data breaches. Comparing these findings with the information from the compromised hospitals, the researchers noted that the breached facilities were larger, with a median number of 262 beds, compared to 134 for the non-breached. More than a third of those breached hospitals also were major teaching facilities.

According to the Protenus report, there were 39 separate breach incidents in March, which is an uptick from the 31 separate breach incidents in February and in January. The 39 incidents in March affected 1,519,521 patient records, Protenus reports, with the largest single incident involving almost 700,000 patient records and was reported to HHS as “theft-other.” The number of breached patient records last month—1.5 million—is a drastic increase from the numbers in January (388,000 patient records) and February (206,000 patient records).

The Protenus report also indicates that insider threats remain significant in healthcare. Insiders were responsible for 44 percent of March’s total breach incidents (17 incidents), affecting 179,000 patient records. Ten of the reported insider incidents were the result of insider-error, and seven of the reported incidents were the result of insider-wrongdoing.

As in previous months, other than February, hacking accounted for a significant percentage of records and incidents (11 incidents accounted for 28 percent of total incidents), Protenus reports. The hacking incidents reported this month affected 600,270 patient records.

So far in 2017, Protenus researchers report, third-party breaches have represented a substantial portion of total breached patient records, 82 percent in January and 21 percent in February. In March, by contrast, third-parties were only responsible for 3 percent (one incident) of total breached patient records.

There is some good news, however, as the report also found that the time to report by healthcare organizations improved in March compared to previous months. Previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in March for which Protenus had data, it took an average of 45 days from the time of the breach was discovered to when it was reported to HHS, which signifies a dramatic improvement from the 478 days it took HHS to be notified of breaches reported in February. HHS requires that healthcare organizations report data breach incidents within a 60-day window.

“It should also be noted that HHS OCR has recently started fining entities for not reporting a health data breach within the required time frame. It leads one to ask—have recent OCR fines led to an increase in diligent and prompt reporting of health data breaches?,” the report authors wrote.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Study: 9 in 10 Clinicians to Use Mobile Devices at Bedside by 2022

A recent study indicates a rising adoption in clinical mobility in hospitals and clinicians increasingly see mobile devices as improving the quality of patient care and reducing medication administration errors.

AMGA Survey: Value-Based Care Driving C-Suite Compensation Incentives

A recent survey by the American Medical Group Association (AMGA) of executive and leadership compensation reveals several trends, including that incentive compensation plays an important role in increases and value-based care is driving executive compensation incentives.

Set to Launch in May, All of Us Research Program Gets 15 New Engagement Partners

The National Institute of Health’s (NIH) “All of Us” Research Program now has 15 more community organizations and healthcare provider associations that have signed on to raise awareness about the program and its potential to advance precision medicine.

Report: Advanced Hacker Group, Orangeworm, Targeting Healthcare Industry

A new attack group, dubbed Orangeworm, is conducting targeted cyber attacks against healthcare organizations in the United States, Europe and Asia, according to a new report from researchers at cybersecurity firm Symantec.

EHR Capabilities Impact Patient Satisfaction Levels, Report Finds

Electronic health record (EHR) technology and the ways that providers use it to communicate with their colleagues and with patients is affecting how satisfied consumers are with their hospital organizations, according to a new Black Book market research.

A New Massachusetts Study Finds Consumers Slow to Make Use of Cost Estimate Tools

A new report has found that, even as health insurers in Massachusetts, under pressure to provide cost-estimating tools for their members, are giving them more information, plan members are still largely not taking advantage of new tools