The healthcare industry is a target for hackers but while there have been many hacks and IT incidents, hackers are not the greatest threat. The actions of healthcare providers, health insurance providers, and their employees cause more breaches than hacks, ransomware attacks, and malware incidents.
Researchers from Johns Hopkins University and Michigan State University studied the data breaches documented by the Department of Health and Human Services’ Office for Civil Rights (OCR) in the last 7 years and discovered that over 50% of breaches were caused by negligence or insiders.
The journal JAMA Internal Medicine published the recent research study, which is a follow-up to a study in 2017 that looked into the threat of hospital data breaches and which types of hospitals were most vulnerable to data breaches. The preceding research revealed which hospitals were most susceptible to breaches but the researchers noted there is little data available on the principal causes of healthcare data breaches. The recent study plugs that information gap.
The researchers conducted a retrospective evaluation of the 1,183 healthcare data breaches documented by OCR from October 21, 2009 to December 31, 2017. Those breaches resulted in the impermissible disclosure or inadvertent exposure of 164 million healthcare records.
The study was restricted to breaches of 500 or more records, as summaries of smaller breaches are not published by OCR. The breach reports break up data breaches into 6 categories; hacking/IT incidents, theft, loss, unauthorized access/disclosure incidents, improper disposal, and unidentified. There were 77.6% appropriately categorized breaches and 22.24% mis-classified breaches or breaches with an unknown cause.
The researchers found that a major cause of breaches was data theft by third-parties or unknown individuals, which accounted for 32.5% of breaches. Mailing errors was the second main cause (10.5%), then theft by present or past employees (9%). Roughly 20% of breaches were caused by internal/external hacking incidents; however 133.8 million of the 164 million data records were compromised as a result of those hacks. 53% of all data breaches were discovered to have started from within healthcare companies.
25% of all the breaches were due to unauthorized access or disclosure incidents, which was more than twice the number of of breaches due to external hackers. The insider breaches included employees bringing PHI home or sending PHI to a personal account or device, viewing data without proper authorization, email errors such as sending PHI to incorrect recipients, or copying rather than blind copying or sharing unencrypted information.
Analyzing the location of breached PHI revealed that 46.1% of breaches were associated with mobile devices, 28.7% involved paper records and 29.3% were network server-related breaches.
Although most breaches involve minor risks to patients, such exposing a patient’s name and address to another patient, sometimes the effects on patients can be severe. For example, the 78.8 million-record breach of Anthem Inc., in 2015 resulted in criminals filing fraudulent tax returns in the names of the victims, bringing about financial losses.
Breaches also carry a significant cost for the breached entity. Besides the substantial expense of mitigating a breach, which involved improving cybersecurity defenses; hiring forensic investigators and cybersecurity experts; printing and sending notification letters; and offering credit monitoring services to breach victims, Anthem had to cover the cost of defending class action lawsuits. Those lawsuits were eventually settled for $115 million. Anthem also paid OCR a $16 million compliance penalty to settle HIPAA violations discovered during the breach investigation. Anthem also suffered considerable damage to its reputation as a result of the breach and lost business to competitors.