Protenus’ Healthcare Breach Barometer Report for February 2018 has been published. The report talks about all the healthcare data breaches submitted to the Department of Health and Human Services’ Office for Civil Rights and those disclosed to the media for the month of February 2018.
Using the collected data from databreaches.net, the confirmed number of breached healthcare records in February is at least 348,889. The figure is not yet final as 11 breaches still has no confirmed number of people affected. There were more security breaches in February than in January. February had 39 while January had 37. However, the number of exposed records in February decreased from 473,807 records.
The top cause of healthcare data breaches were insiders. 16 out of 39 incidents (41%) were insider breaches and resulted in the exposure or theft of 51% of confirmed breached records in February. 94% of insider breaches were because of healthcare employee errors. Only one incident was due to insider wrongdoing.
33% of healthcare data breaches in February was due to hacking/IT, which resulted to the exposure of 46% of the total breached records. Again, this data is not yet final. Five hacking incidents still have not reported the number of affected records. Four of the hacking /IT incidents were due to ransomware or malware. One of the incidents was the 135,000 record breach at St. Peter’s Surgery & Endoscopy Center in New York. Two of the hacking/IT incidents involved phishing. 13% of healthcare data breaches was due to theft/loss incidents. The cause of the last 13% is unknown.
Of the 39 data breaches, 23 were reported by healthcare providers, 8 by health plans, 4 by business associates and four by businesses/other vendors. The Office for Civil Rights actually have two breaches reported by business associates. However, Protenus reported 11 incidents to have some business associate/vendor involvement.
Protenus also reported that the average number of days from the occurrence of the breach to its discovery is 325 days. The median detection time is 34 days. The computed average is high because one incident took more than four years before it was discovered. The average time from discovery of the breach to reporting to OCR was 68 days and the median is 59 days. Six organizations violated the breach notification rule of 60 days.
Twenty-two states had reports of healthcare data breaches in February. California reported 6 incidents; Wisconsin and Georgia reported 3 each. In four years, 2017 reported the lowest number of breached records. However the number of incidents did not go down. The rate of healthcare data breaches is still more than one per day.