- A total of 4.4 million patient records were compromised in 117 health data breaches in the third quarter of 2018, according to the latest Protenus Breach Barometer.
These figures compare with 3.15 million records compromised in 142 health data breaches in the second quarter, and 1.13 million patient records compromised in 110 breaches in the first quarter, according to the quarterly report prepared by security firm Protenus and DataBreaches.net.
“It’s important to note that the number of affected patient records has continued to climb each quarter in 2018,” explained the report.
More than half of those breaches were due to hacking, while 23 percent were the result of insider incidents. In fact, Protenus found that insiders accounted for an increasing number of health data breaches in 2018.
The number of patient records breached by insider wrongdoing increased from 4,597 in the first quarter to 2909,689 in the third quarter.
“For the purposes of our analysis, insider incidents are characterized as either insider-error or insider-wrongdoing. The former includes accidents and other incidents without malicious intent that could be considered ‘human error.’ Insider-wrongdoing includes employee theft of information, snooping in patient files, and other cases where employees appeared to have knowingly violated the law,” the report related.
Third parties continue to pose risks to healthcare providers. Third-party breaches accounted for 1.34 million patient records in the third quarter.
A total of 27 disclosed incidents involved business associates or third-party vendors in the third quarter. Data was available for 23 of these incidents. There were 14 instances in which a business associate was involved with a hacking incident, seven insider-error incidents, one insider-wrongdoing incident, two incidents of theft, and two incidents with unknown categorization.
Of the 117 health data breaches that occurred in the third quarter, three-quarters (86) were disclosed by a healthcare provider, 13 were disclosed by a health plan, 13 were disclosed by a business associate or third-party vendor, and five were disclosed by businesses or other organizations.
It took a disturbing average of 402 days to discover a health data breach. The median discovery time was 51 days. There were a wide variety of time frames for discovery, with the shortest discovery time of one day and the longest of 5,605 days, according to Protenus.
The one that took 5,605 days to discover was a data breach at Virginia-based VCU Health System, which admitted in July that an employee “inappropriately accessed” health information for about 4,700 people or their children
VCU Health System discovered that the employee had been inappropriately accessing health information since January 3, 2003. The information included patients’ names, home addresses, dates of birth, medical record numbers, healthcare providers, visit dates, health insurance information, medical information, and in some cases, Social Security numbers. The employee was subsequently fired for the breach.
In terms of states, Florida had the most data breaches, with 11 separate incidents in the third quarter. California had the second highest number, with 10 separate incidents, followed closely by Texas with nine incidents.
“There is an alarming trend that seems to be emerging with the sharp increase in patient records affected by insider-wrongdoing incidents each quarter so far in 2018. It’s also possible that this trend is simply an artifact of better breach detection and reporting for incidents that would have previously gone undetected or undisclosed to the public,” the report observed.
“Regardless, in order for healthcare organizations to combat the challenges associated with health data security, it is critical for healthcare privacy offices to leverage technology that will allow them to audit every access to their patient data. Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their more sensitive information,” it concluded.