- In the second quarter of 2018, 3.15 million patient records were compromised in 142 healthcare data breaches, according to the Protenus Breach Barometer.
A discouraging 30 percent of privacy violations involved repeat offenders, indicating that “health systems accumulate risk that compounds over time if proper reporting and education do not occur,” the report observed.
If an individual healthcare employee breaches patient privacy once, there is a greater than 30 percent chance that he or she will do so again in three months’ time, and a greater than 66 percent chance he or she will do so again within one year, the report related.
Protenus worked with Databreaches.com to collect data from HHS, press reports, and proprietary nonpublic data from the Protenus AI platform for the Breach Barometer.
For incidents disclosed to HHS or the media, insiders were responsible for 31 percent of breaches in the second quarter.
Protenus estimated that more than nine out of 1,000 healthcare employees breach patient privacy, up from around five employees per 1,000 in the first quarter. The report attributed the increase to healthcare privacy teams better using advanced analytics to detect more incidents.
Family snooping was the most common insider-related breach, making up 71 percent of the privacy violations, compared to 77 percent in the first quarter.
The report found that it takes healthcare organizations an average of 204 days to detect a breach once it has occurred. This time period ranges from one day to four years.
Of the 61 incidents for which data was disclosed, it took an average 71 days from when a breach was discovered to when it was disclosed to HHS, the media, or other sources. The median disclosure time was 59 days. HHS requires organizations to report a breach involving 500 or more individuals within 60 days of discovery.
The report found that insider incidents were associated with the longest gaps between the breach occurrence and detection.
Healthcare security teams are spread thin. In hospital teams responsible for responding to insider threats, one investigator monitors an average of nearly 4,000 employees, handles 25 cases, and is responsible for 2.5 hospitals.
Healthcare hacking incidents nearly doubled sequentially, accounting for 52 data breaches in the second quarter, up from 30 breaches in the first quarter.
Forty-four of the hacking incidents in the second quarter affected 2,065,813 patient records. Seven of those reported incidents involved ransomware or malware, and ten incidents mentioned a phishing attack.
In addition to malware, ransomware, and phishing, there were 23 reported incidents related to theft. Data was disclosed for 19 of those incidents, which affected more 600,000 patient records.
Of the 143 disclosed healthcare data breaches that occurred in the second quarter, 99 of them were disclosed by a healthcare provider, 15 were disclosed by a health plan, 18 were disclosed by a business associate or third-party vendor, and ten were disclosed by businesses or other organizations.
Twenty-three breaches involved paper records. Disclosed data was available for 14 of those incidents, affecting 158,711 patient records.
There were 26 disclosed breaches involving business associates or third-party vendors. Data was available for 22 of these incidents, affecting 796,875 patient records.
There were nine instances in which a business associate was involved with a hacking incident, nine insider-error incidents, two insider-wrongdoing incidents, two thefts, and one incident with unknown categorization.
Thirty-eight states were involved in the 142 disclosed health data breaches for which Protenus had location data. California had the most data breaches of any state, with 20 incidents. Texas had the second highest rate, with 13 incidents.
“Healthcare organizations must remain vigilant, looking for best practices in healthcare privacy that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization,” the report concluded.