In the first nine months of 2017, unintended disclosure accounted for 41 percent of healthcare data breach incidents, according to a report from specialist insurer Beazley. The high level of unintended disclosure incidents remains more than double that of the second most frequent cause of loss, hack or malware (19 percent), the report states.
Beazley’s quarterly breach insights report examines the major causes of data breaches reported by healthcare insureds in the first nine months of 2017. “Whether it is an email containing protected health information (PHI) sent to the wrong recipient, discharge instructions given to the wrong patient, or a server containing PHI accidentally left open to the public, healthcare entities continue to struggle with human error on a regular basis,” the report authors wrote.
What’s more, unintended disclosure incidents are a persistent threat and expose organizations to greater risks of regulatory sanctions and financial penalties. Yet, the report authors note, unintended disclosures can be much more easily controlled and mitigated than external threats, which underscores why healthcare organizations shouldn’t ignore this significant risk and should invest time and resources towards employee training.
As noted, 19 percent of data breaches were caused by hack or malware. What’s more, the report found that 15 percent of healthcare data breaches were caused by insiders, 8 percent were caused by a physical loss, 6 percent were attributed to a portable device and 3 percent were attributed to social engineering.
While insider incidents only accounted for 15 percent of breach incidents, healthcare insureds have reported more insider incidents thus far in 2017 compared to 2016. Insider incidents accounted for 12 percent of healthcare incidents in 2016. Typically, insider incidents involve an employee viewing patient records without a work-related reason to do so, perhaps looking at a celebrity patient’s record or the record of an ex-spouse or neighbor. These “employee snooping” incidents are usually discovered y audits run on the electronic medical records system or by another employee or patient reporting the suspected snooping.
The report authors note, “It is unclear what has led to the increase in insider incidents in healthcare, but what is clear is that increased employee vigilance and auditing will help organizations identify such behavior early on, reducing the number of affected patients and hopefully lessening the likelihood of regulatory inquiry.”
Another noticeable trend across all industries in 2017 is the nine-fold increase in social engineering attacks. A social engineering attack occurs when a hacker uses deception to manipulate individuals into divulging confidential or personal information.
The report also notes that there has been a marked increase in the number of Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforcement activities in recent years. As the number of investigations and resolution agreements have increased, so too has the average settlement payment.
The combined total of 13 resolution agreements in 2014 and 2015 saw settlement amounts ranging from $125,000 to $3.5 million (an approximate average of $1 million each), the report notes. In 2016, there were about 13 resolution agreements and so far in 2017 there have been nine. The 2016 and 2017 resolution agreement settlements range from $31,000 to $5.5 million (an average of $1.8M million each), according to the report.
The report authors also note that there may be two reasons for the increase in enforcement activities--OCR has more resources at its disposal and has far less patience for HIPAA non-compliance, and OCR representatives have also expressed frustration at entities’ failure to comply with HIPAA’s privacy and security rules, which have been on the books since 2003 and 2005, respectively.
Healthcare organizations should also be aware that when they report a breach, it opens the door for OCR to investigate the entity’s basic HIPAA compliance, the report authors note. The investigation in turn can lead to corrective action plans and settlements. Typically, it takes three to six years from the time the breach was first reported to OCR to resolution, imposing a long-term drain on managerial resources as well as finances.
“But with the increase in OCR’s resolution agreements, a trend of OCR’s hot button issues has emerged. Organizations should review previous resolution agreements (all of which are available on OCR’s website) and familiarize themselves with what OCR considers to be best practices, such as: device encryption; workforce education and training; updating of policies and procedures; the elimination of old data; security risk assessments; risk mitigation plans; vendor management and using the minimum amount of PHI.
Katherine Keefe, global head of Beazley Breach Response Services, said in a statement, “All organizations face the reality that data breaches have become inevitable. And the stakes are high: they hold personal data on trust for customers, employees and patients. The volume of protected health information maintained by healthcare organizations and the digitization of electronic health records have increased the vulnerability for large breaches. It is important to understand the underlying causes so as to mitigate and manage them effectively.”