Report: Insider Threats to Patient Data Remain Unnoticed | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Insider Threats to Patient Data Remain Unnoticed

October 18, 2017
by Heather Landi
| Reprints
Click To View Gallery

Of the reported healthcare data breach incidents that occurred in September, it took an average of 387 days for healthcare organizations to discover a breach had occurred, according to a report from cybersecurity software company Protenus.

There was a substantial uptick in the number of breach incidents reported in the month of September, with almost half a million patient records compromised, according to the report. There were 46 incidents in September, compared to 33 in August, 36 in July and 52 in June. The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by The report includes breach incidents either disclosed to the U.S. Department of Health and Human Services (HHS) or to the media in the past month.

For the 42 incidents for which Protenus had numbers, 499,144 patient records were affected. The largest single incident for which Protenus had numbers involved 128,000 patient records in a hacking incident that involved ransomware. Reports did make it clear that this patient data was made inaccessible by the hacking.

In September, hacking accounted for 40 percent of all data breach incidents and 80 percent of all breached patient records. “There was one report that specifically mentioned ransomware, seven reports that mentioned phishing, and eight reports mentioned extortion attempts as part of the health data breach. The blackhat hackers known as TheDarkOverLord (TDO), whose hacks in the healthcare sector have been previously noted in our monthly reports, claimed responsibility for all eight of these extortion incidents,” the report stated. notes that extortion is on the rise across all sectors, and that the healthcare sector and education sector are prime targets for extortionists due to the sensitivity of the data and lack of security.

What’s more, there has been another string of insider breaches first reported in September that have taken at least a year to discover, and in some cases several years lapsed before discovery, the report stated. “It’s paramount for healthcare organizations to become more proactive and efficient at detecting these insider breaches, as the organization’s reputation and patient livelihoods are at stake. Healthcare organizations must learn from one another and utilize necessary resources to better combat this problem that is continuously plaguing the industry,” the report authors wrote.

Insiders were responsible for 33 percent of September’s breach incidents, and insider-wrongdoing affects almost three times as many patient records as insider-error.

“One insider-wrongdoing incident actually involved multiple hospital employees when they found out a patient was brought into the ER with a genital injury involving a foreign object,” the report authors wrote. “’A ton’ of hospital employees gathered in the patient’s OR room and took pictures of the injury with their cellphones. These pictures began to circulate around the hospital staff prompting a vigilant employee to bring the incident to hospital administrators.”

The report also notes one incident involving paper records, which is also an example of malicious insider-wrongdoing. A hospital employee stole a laptop and paper records, and then used that patient information to open credit cards in the patients’ names. “Unfortunately, this is an all too common example of the malicious activity that can occur when bad actors within a healthcare organization have access to patient information,” the report authors wrote, noting that this should serve as a reminder to healthcare organizations that it takes more than training and education to truly thwart insider-wrongdoing within an organization. “There are advanced analytics used within the nation’s leading hospitals that detect abnormal behavior within the EHR, promptly identifying potentially serious breaches to patient privacy, mitigating the overall risk to the organization and more importantly, its patients,” the report authors wrote.

Looking at time to discovery, of the reported incidents in September, it took an average of 387 days (median = 38 days) for healthcare organizations to discover a breach had occurred. While some entities discovered a breach immediately, while one incident went undiscovered for almost six years, a result of insider-wrongdoing affecting 1,969 patient records. The longevity of this type of breach reinforces the need to have technology in place that can proactively detect a health data breach.

It also took an average of 66 days (median = 59 days) from the time a breach was discovered to when it was disclosed, either to HHS, the media or to state attorneys general.

The report authors conclude that the longevity of insider breaches is a cause for concern for healthcare organizations and reinforces the need for healthcare to proactively detect health data breaches. “Since the inception of the Breach Barometer, the report has consistently found the same reoccurring trends with the number of breach incidents each month and that insider threats to patient data remain unnoticed. It’s time for the healthcare industry to make patient privacy a priority,” the report authors wrote.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Healthcare Execs Anticipate High Cost Returns from Predictive Analytics Use

Healthcare executives are dedicating budget to predictive analytics, and are forecasting significant cost savings in return, according to new research from the Illinois-based Society of Actuaries.

Adam Boehler Tapped by Azar to Serve as Senior Value-Based Care Advisor

Adam Boehler, currently director of CMMI, has also been named the senior advisor for value-based transformation and innovation, HHS Secretary Alex Azar announced.

Vivli Launches Clinical Research Data-Sharing Platform

On July 19 a new global data-sharing and analytics platform called Vivli was unveiled. The nonprofit group’s mission is to promote, coordinate and facilitate scientific sharing and reuse of clinical research data.

Survey: More Effective IT Needed to Improve Patient Safety

In a Health Catalyst survey, physicians, nurses and healthcare executives said ineffective information technology, and the lack of real-time warnings for possible harm events, are key obstacles to achieving their organizations' patient safety goals.

Physicians Still Reluctant to Embrace Virtual Tech, Survey Finds

While consumers and physicians agree that virtual healthcare holds great promise for transforming care delivery, physicians still remain reluctant to embrace the technologies, according to a new Deloitte Center for Health Solutions survey.

Geisinger, AstraZeneca Partner on Asthma App Suite

Geisinger has partnered with pharmaceutical company AstraZeneca to create a suite of products that integrate into the electronic health record and engage asthma patients and their providers in co-managing the disease.