The Q3 Breach Barometer Report from Protenus shows a drop in the number of healthcare data breaches in Q3 compared to the previous quarter. While this is good news, the volume of compromised, stolen, or impermissibly disclosed healthcare records went up in Q3.
In every quarter of 2018, there has been a rise in the number of exposed healthcare records. In Q1, 1,129,744 healthcare records exposed in 110 breaches. In Q2, 3,143,642 records exposed in 142 breaches. In Q3, 4,390,512 healthcare records exposed, stolen, or impermissibly disclosed in 117 reported breaches.
Iowa Health System UnityPoint Health reported the biggest healthcare data breach in Q3. The breach happened as a result of a phishing attack that led to multiple email accounts being compromised. 1.4 million patients were affected by the breach. This was UnityPoint Health’s second phishing attack of 2018. The first attack saw 16,400 healthcare data records compromised.
The top cause of healthcare data breaches in Q3 was hacking. Of the 117 breaches, 51% were caused by hacking and 83% of all healthcare records exposed in Q3 were the result of those incidents. There was an increase in hacking incidents and the quantity of exposed records due to hacking in Q3.
The second biggest cause of healthcare data breaches in Q3 was insider wrongdoing or insider error, which was behind 27 breaches or 23% of all data breaches in the quarter. Those breaches resulted in 680,117 health records being stolen, exposed or impermissibly disclosed or 15% of breached records in Q3. Protenus classes insider wrongdoing as data theft by employees, snooping on healthcare records, and other employee HIPAA violations.
There were 19 breaches caused by insider error that led to exposure or impermissible disclosure of healthcare records. Insider errors resulted in the exposure or impermissible disclosure of 389,428 patient records.
There were 8 breaches caused by insider wrongdoing. Protenus explained that there has been a significant rise in exposed/stolen records due to insider wrongdoing. The patients affected by insider wrongdoing increased from 4,597 in Q1 to 70,562 in Q2, and 290,689 in Q3.
Healthcare providers reported 86 breaches, health plans reported 13 breaches, and business associates reported 13 breaches in Q3, although 27 incidents or 23% of all breaches involved business associates to some degree. Other entities reported 5 breaches.
On average, data breaches were discovered in 402 days with median time of 51 days. It took one healthcare provider 15 years to find out that an employee was accessing healthcare records with no legitimate work reason for doing so. Throughout that time, the employee viewed 4,686 patients’ records. Reporting breaches took 71 days on average with median time of 57.5 days.
Florida had the most number of healthcare data breaches in Q3 with 11 incidents reported. California had 10 while Texas had 9 incidents reported.