Protenus, a healthier security organisation, has released its quarterly Breach Barometer Report for Q3 2018. The report is designed to give an insight into the cause of breaches in the healthcare community, and provide healthcare organisations with information that could assist them in improving the security around protected health information (PHI).
Quarter | Number of Breaches | Number of Records Stolen |
Q1 | 110 | 1,129,744 |
Q2 | 142 | 3,143,642 |
Q3 | 117 | 4,390,512 |
While there were 25 fewer breaches in Q3 in comparison to Q2 (a reduction of 17.6%), over 1.2 million more records were stolen. This dramatic increase may be due to a huge phishing attack at Iowa Health System UnityPoint Health, which saw 1.4 million records stolen. The phishing attack saw multiple employee email accounts compromised, allowing the attacker access to a huge number of files. The organisation had fallen victim to a previous phishing attack, but only 16,400 patient records were compromised in that breach. The scale of the more recent phishing attack demonstrates how serious an issue hacking/IT incidents can be for healthcare organisations.
In Q3, hacking was the leading cause of healthcare data breaches. 51% of the 117 breaches were due to hacking and those incidents accounted for 83% of all exposed records in the quarter. Hacking incidents and the number of records exposed through hacking both increased in Q3.
Although external threats are at the forefront of people’s minds when they think about data security, those working within organisation still pose threats, whether deliberate or accidental. In Q3 27 breaches (23%) were due to insider wrongdoing or error, resulting in the theft/exposure/disclosure of 680,117 health records (15% of the records exposed in Q3). Insider wrongdoing includes theft of data by employee, snooping on medical records, and other incidents where insiders violated HIPAA Rules.
The report stated that 19 breaches were caused by insider error – mistakes made by healthcare employees that resulted in the exposure or impermissible disclosure of healthcare records. Insider errors resulted in the exposure/disclosure of 389,428 patient records.
There were 8 incidents involving insider wrongdoing, affecting 290,689 people. Protenus has drawn attention to the significant increase in records exposed/stolen through insider wrongdoing. In Q1, 4,597 patients were affected by insider wrongdoing, the number increased to 70,562 in Q2. This increase of over 6000% since Q1 remains unexplained.
These figures are summarised below:
Cause of Breach | Number of Breaches Reported | Number of Records Exposed |
Hacking/IT | 60 | 3,644,125 |
Insider error | 19 | 389,428 |
Insider wrongdoing | 8 | 290,689 |
The Breach Barometer Report provided a breakdown in what types of organisations in the healthcare industry were reporting breaches. Healthcare providers disclosed 86 breaches in Q3, health plans reported 13 breaches, and a further 13 breaches were reported by business associates. 5 breaches were reported by other entities. 27 incidents – 23% of the total – had some business associate involvement, even if the breach was not reported by the business associate themselves.
On average, it took 402 days to discover data breaches. This is a measure of time between when the breach was first noticed by the organisation and the estimated date at which the breach occurred, for example, when a hacker may have gained access to a system. The median time to detect a breach was 51 days. One healthcare provider took 15 years to discover an employee had been accessing healthcare records without authorization. Over that time frame, the employee had viewed the records of 4,686 patients without any work reason for doing so. The average time to report breaches was 71 days and the median time was 57.5 days.
The states worst affected by healthcare data breaches in Q3 were Florida with 11 incidents, followed by California with 10, and Texas with 9 incidents.