Of the reported healthcare data breach incidents that occurred in September, it took an average of 387 days for healthcare organizations to discover a breach had occurred, according to a report from cybersecurity software company Protenus.
There was a substantial uptick in the number of breach incidents reported in the month of September, with almost half a million patient records compromised, according to the report. There were 46 incidents in September, compared to 33 in August, 36 in July and 52 in June. The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net. The report includes breach incidents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media in the past month.
For the 42 incidents for which Protenus had numbers, 499,144 patient records were affected. The largest single incident for which Protenus had numbers involved 128,000 patient records in a hacking incident that involved ransomware. Reports did make it clear that this patient data was made inaccessible by the hacking.
In September, hacking accounted for 40 percent of all data breach incidents and 80 percent of all breached patient records. “There was one report that specifically mentioned ransomware, seven reports that mentioned phishing, and eight reports mentioned extortion attempts as part of the health data breach. The blackhat hackers known as TheDarkOverLord (TDO), whose hacks in the healthcare sector have been previously noted in our monthly reports, claimed responsibility for all eight of these extortion incidents,” the report stated.
DataBreaches.net notes that extortion is on the rise across all sectors, and that the healthcare sector and education sector are prime targets for extortionists due to the sensitivity of the data and lack of security.
What’s more, there has been another string of insider breaches first reported in September that have taken at least a year to discover, and in some cases several years lapsed before discovery, the report stated. “It’s paramount for healthcare organizations to become more proactive and efficient at detecting these insider breaches, as the organization’s reputation and patient livelihoods are at stake. Healthcare organizations must learn from one another and utilize necessary resources to better combat this problem that is continuously plaguing the industry,” the report authors wrote.
Insiders were responsible for 33 percent of September’s breach incidents, and insider-wrongdoing affects almost three times as many patient records as insider-error.
“One insider-wrongdoing incident actually involved multiple hospital employees when they found out a patient was brought into the ER with a genital injury involving a foreign object,” the report authors wrote. “’A ton’ of hospital employees gathered in the patient’s OR room and took pictures of the injury with their cellphones. These pictures began to circulate around the hospital staff prompting a vigilant employee to bring the incident to hospital administrators.”
The report also notes one incident involving paper records, which is also an example of malicious insider-wrongdoing. A hospital employee stole a laptop and paper records, and then used that patient information to open credit cards in the patients’ names. “Unfortunately, this is an all too common example of the malicious activity that can occur when bad actors within a healthcare organization have access to patient information,” the report authors wrote, noting that this should serve as a reminder to healthcare organizations that it takes more than training and education to truly thwart insider-wrongdoing within an organization. “There are advanced analytics used within the nation’s leading hospitals that detect abnormal behavior within the EHR, promptly identifying potentially serious breaches to patient privacy, mitigating the overall risk to the organization and more importantly, its patients,” the report authors wrote.
Looking at time to discovery, of the reported incidents in September, it took an average of 387 days (median = 38 days) for healthcare organizations to discover a breach had occurred. While some entities discovered a breach immediately, while one incident went undiscovered for almost six years, a result of insider-wrongdoing affecting 1,969 patient records. The longevity of this type of breach reinforces the need to have technology in place that can proactively detect a health data breach.
It also took an average of 66 days (median = 59 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or to state attorneys general.
The report authors conclude that the longevity of insider breaches is a cause for concern for healthcare organizations and reinforces the need for healthcare to proactively detect health data breaches. “Since the inception of the Breach Barometer, the report has consistently found the same reoccurring trends with the number of breach incidents each month and that insider threats to patient data remain unnoticed. It’s time for the healthcare industry to make patient privacy a priority,” the report authors wrote.