Analysis of 2019 Healthcare Data Breaches
A recent analysis of 2019 healthcare data breaches by Protenus has confirmed that 2019 was a particularly bad year for the U.S. healthcare industry, with more data breaches of 500+ records reported than any other year since the company started producing the reports in 2016. Based on OCR figures, 2019 was the worst year since OCR started published summaries of breaches on its ‘Wall of Shame.’
In 2019, there were 572 data breaches reported to OCR, the media, or other sources, up from 503 reported breaches in 2018 – A year-over-year increase of 13.7%. Even worse is the increase in the severity of breaches. 2019 saw a 174.5% increase in the number of breached healthcare records, increasing from 15.08 million records in 2018 to at least 41.4 million patient records in 2019. That total is based on figures from just 481 of those breaches, as the number of victims from 91 incidents is not yet known. Those 91 breaches include two massive data breaches that each saw records from more than 500 dental practices compromised.
One of the biggest contributors to the breached record total in 2019 was the data breach at American Medical Collection Agency. The billings collection agency was hacked in September 2018 and the cyberattack was only discovered when data stolen by the hackers was listed for sale on a darknet marketplace 7 months later. The records of more than 20 million patients were stolen in that attack.
The 2020 Proteus Breach Barometer report shows there was a major increase in hacking/IT incidents in 2019, with 49% more incidents reported than 2018. The 330 hacking incidents saw at least 36,911,960 records breached. In 2019, hacking accounted for 58% of all reported healthcare data breaches.
There was a fall in the number of ransomware attacks in 2018, but attacks increased considerably in 2019. Ransomware attacks in the past few years have solely focused on encrypting data, but a new trend emerged in 2019. Several threat actors started exfiltrating patient data prior to deploying ransomware. A threat is then issued to publish or sell the data if the ransom is not paid. Several healthcare organizations have refused to pay the ransom and, good to their word, data has been sold or dumped online. There was also an attack in Florida which saw data stolen and ransom demands issued to the attacked entity and its patients.
Hacking incidents were up but there was some good news. Insider breaches have fallen by 20% in 2019, although more records were breached in insider incidents than 2018 – 3,800,312 records in 2019 compared to 2,793,607 records in 2018.
The fall in the number of incidents has been put down to improvements in employee education, which has reduced insider errors, and the adoption of AI-based solutions that can detect anomalous user activity. Out of the 110 insider breaches, 72 are known to have been caused by human error and 35 were the result of insider wrongdoing. Insider wrongdoing incidents involved 136,566 records and insider errors saw 3,659,962 records breached.
Healthcare organizations still struggle to detect data breaches when they occur, but things are improving. In 2018, the average time to discover a breach was 255 days. In 2019, the average was 225 days. Protenus reports that several insider breaches took more than 4 years to discover.
It is difficult to draw accurate conclusions about the time to report data breaches to the Department of Health and Human Services’ Office for Civil Rights from the limited data available. Data was only available for 187 of the 572 reported breaches. However, it is worrying that it took an average of 80 days to report those breaches to OCR, when HIPAA requires breaches to be reported within 60 days of discovery.