There was a sharp spike in the number of breached patient records as the result of data breach incidents in March, with this month seeing 2.5 times the number of breached records in January and February combined, according to the latest Protenus “Breach Barometer” report.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. This month’s analysis showed 31 breach incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources, which is the same number of incidents as reported in January.
This report comes on the heels of another cybersecurity study that found that academic medical centers are more likely to experience data breaches than other health systems. A study, published online by JAMA Internal Medicine, and led by a researcher at the Johns Hopkins Carey Business School, found that the risk of data breaches at U.S. hospitals is greater at larger facilities and hospitals that have a major teaching mission. For that study, researchers examined the federal Department of Health and Human Services' statistics on data breaches reported by various health care providers from late 2009 through 2016. They found that 216 hospitals reported a total of 257 breaches during that period, and that 33 of those hospitals—15 percent—were breached at least twice. The researchers also looked at hospitals that reported no data breaches. Comparing these findings with the information from the compromised hospitals, the researchers noted that the breached facilities were larger, with a median number of 262 beds, compared to 134 for the non-breached. More than a third of those breached hospitals also were major teaching facilities.
According to the Protenus report, there were 39 separate breach incidents in March, which is an uptick from the 31 separate breach incidents in February and in January. The 39 incidents in March affected 1,519,521 patient records, Protenus reports, with the largest single incident involving almost 700,000 patient records and was reported to HHS as “theft-other.” The number of breached patient records last month—1.5 million—is a drastic increase from the numbers in January (388,000 patient records) and February (206,000 patient records).
The Protenus report also indicates that insider threats remain significant in healthcare. Insiders were responsible for 44 percent of March’s total breach incidents (17 incidents), affecting 179,000 patient records. Ten of the reported insider incidents were the result of insider-error, and seven of the reported incidents were the result of insider-wrongdoing.
As in previous months, other than February, hacking accounted for a significant percentage of records and incidents (11 incidents accounted for 28 percent of total incidents), Protenus reports. The hacking incidents reported this month affected 600,270 patient records.
So far in 2017, Protenus researchers report, third-party breaches have represented a substantial portion of total breached patient records, 82 percent in January and 21 percent in February. In March, by contrast, third-parties were only responsible for 3 percent (one incident) of total breached patient records.
There is some good news, however, as the report also found that the time to report by healthcare organizations improved in March compared to previous months. Previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in March for which Protenus had data, it took an average of 45 days from the time of the breach was discovered to when it was reported to HHS, which signifies a dramatic improvement from the 478 days it took HHS to be notified of breaches reported in February. HHS requires that healthcare organizations report data breach incidents within a 60-day window.
“It should also be noted that HHS OCR has recently started fining entities for not reporting a health data breach within the required time frame. It leads one to ask—have recent OCR fines led to an increase in diligent and prompt reporting of health data breaches?,” the report authors wrote.