Report: Insider Threats to Patient Data Remain Unnoticed | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Insider Threats to Patient Data Remain Unnoticed

October 18, 2017
by Heather Landi
| Reprints
Click To View Gallery

Of the reported healthcare data breach incidents that occurred in September, it took an average of 387 days for healthcare organizations to discover a breach had occurred, according to a report from cybersecurity software company Protenus.

There was a substantial uptick in the number of breach incidents reported in the month of September, with almost half a million patient records compromised, according to the report. There were 46 incidents in September, compared to 33 in August, 36 in July and 52 in June. The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by The report includes breach incidents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media in the past month.

For the 42 incidents for which Protenus had numbers, 499,144 patient records were affected. The largest single incident for which Protenus had numbers involved 128,000 patient records in a hacking incident that involved ransomware. Reports did make it clear that this patient data was made inaccessible by the hacking.

In September, hacking accounted for 40 percent of all data breach incidents and 80 percent of all breached patient records. “There was one report that specifically mentioned ransomware, seven reports that mentioned phishing, and eight reports mentioned extortion attempts as part of the health data breach. The blackhat hackers known as TheDarkOverLord (TDO), whose hacks in the healthcare sector have been previously noted in our monthly reports, claimed responsibility for all eight of these extortion incidents,” the report stated. notes that extortion is on the rise across all sectors, and that the healthcare sector and education sector are prime targets for extortionists due to the sensitivity of the data and lack of security.

What’s more, there has been another string of insider breaches first reported in September that have taken at least a year to discover, and in some cases several years lapsed before discovery, the report stated. “It’s paramount for healthcare organizations to become more proactive and efficient at detecting these insider breaches, as the organization’s reputation and patient livelihoods are at stake. Healthcare organizations must learn from one another and utilize necessary resources to better combat this problem that is continuously plaguing the industry,” the report authors wrote.

Insiders were responsible for 33 percent of September’s breach incidents, and insider-wrongdoing affects almost three times as many patient records as insider-error.

“One insider-wrongdoing incident actually involved multiple hospital employees when they found out a patient was brought into the ER with a genital injury involving a foreign object,” the report authors wrote. “’A ton’ of hospital employees gathered in the patient’s OR room and took pictures of the injury with their cellphones. These pictures began to circulate around the hospital staff prompting a vigilant employee to bring the incident to hospital administrators.”

The report also notes one incident involving paper records, which is also an example of malicious insider-wrongdoing. A hospital employee stole a laptop and paper records, and then used that patient information to open credit cards in the patients’ names. “Unfortunately, this is an all too common example of the malicious activity that can occur when bad actors within a healthcare organization have access to patient information,” the report authors wrote, noting that this should serve as a reminder to healthcare organizations that it takes more than training and education to truly thwart insider-wrongdoing within an organization. “There are advanced analytics used within the nation’s leading hospitals that detect abnormal behavior within the EHR, promptly identifying potentially serious breaches to patient privacy, mitigating the overall risk to the organization and more importantly, its patients,” the report authors wrote.

Looking at time to discovery, of the reported incidents in September, it took an average of 387 days (median = 38 days) for healthcare organizations to discover a breach had occurred. While some entities discovered a breach immediately, while one incident went undiscovered for almost six years, a result of insider-wrongdoing affecting 1,969 patient records. The longevity of this type of breach reinforces the need to have technology in place that can proactively detect a health data breach.

It also took an average of 66 days (median = 59 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or to state attorneys general.

The report authors conclude that the longevity of insider breaches is a cause for concern for healthcare organizations and reinforces the need for healthcare to proactively detect health data breaches. “Since the inception of the Breach Barometer, the report has consistently found the same reoccurring trends with the number of breach incidents each month and that insider threats to patient data remain unnoticed. It’s time for the healthcare industry to make patient privacy a priority,” the report authors wrote.

Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Stanford and Google Team Up on Digital Scribe Pilot Project

Stanford Medicine and Google Research have launched a pilot project to study the use of a digital-scribe to replace a human scribe in order to save the physician time on data entry and improve physician-patient interaction.

PCORI Board Funds 14 Clinical Effectiveness Research Projects

The Patient-Centered Outcomes Research Institute (PCORI) board of governors has approved $57 million to fund 14 new comparative clinical effectiveness research studies.

House Committee Calls on HHS to Enhance Security of Medical Device Components

The House Committee on Energy and Commerce is calling on the U.S. Department of Health and Human Services (HHS) to take steps to strengthen the cybersecurity of medical devices by focusing on the security of technology components.

Healthcare Industry Leaders Submit Comments on Future of CMMI

Responses to the CMS' request for information on the Innovation Center New Direction were due Monday, and several health IT and healthcare industry organizations submitted feedback on the future of CMMI.

HHS OIG to Review Medicaid Telehealth Payments

The U.S. Department of Health and Human Services (HHS) Office of the Inspector General (OIG) plans to review Medicaid payments for telehealth services to gauge compliance with reimbursement requirements.

Survey: Health IT is Underfunded at European Healthcare Organizations

Health IT is not sufficiently funded and supported at most European healthcare provider organizations, according to an eHealth survey from HIMSS Analytics.