Protenus’ Insight on 2017 Breach Barometer Mid-Year Report

Protenus, together with Databreaches.net, made its Breach Barometer mid-year report. It discusses all healthcare data breaches documented in the last 6 months and gives invaluable information about trends in 2017 data breaches.

The Breach Barometer is a detailed analysis of healthcare data breaches, not just including the data breaches submitted to the Department of Health and Human Services’ Office for Civil Rights’, but also the incidents reported by media and the public. Before adding any incident to the report, breaches are individually verified by databreaches.net. The Breach Barometer reports explore the major reasons of data breaches documented by healthcare companies, health plans and business associates.

Protenus Co-Founder and president Robert Lord talked about the results of the mid-year report. He stated that from January to June 2017, 233 data breaches were reported. Those breaches affected 3,159,236 patients. The biggest breach in the first half of the 2017 was theft of 697,800 records due to a rogue insider. 96 incidents involved insiders – 57 were because of insider error compromising 423,000 records; 36 were because of insider wrongdoing compromising 743,665 records. The last 3 breaches were not categorized.

Insider incidents are most likely to have more incidents than what is listed in the Breach Barometer repor because a lot of incidents are not revealed publicly or submitted to HHS. One example was the misconfigured MongoDB databases. A lot of businesses do not report the exposure of PHI online, though security researchers have found that data are accessible without authentication. If ever these incidents are documented, they are frequently reported as hacking incidents, even if the underlying reason is human mistake.

There were 75 hacking incidents and 29 ransomware incidents reported in the first six months of 2016. Ransomware incidents are likewise underreported, despite the fact that OCR clearly stated that ransomware attacks need to be reported as breaches. The actual figure is most likely far worse.

The statistics of breaches for 2016 is as follows:

  • 41% insider incidents
  • 32% incidents due to hacking
  • 18% caused by loss/theft of records and storage devices
  • 9% of breaches with unknown causes

Hacking is probably the second largest cause of data breaches, but hacking is often associated with the exposure or theft of records. See the following figures:

  • 1,684,904 exposed/stolen records resulted from hacking
  • 1,166,674 exposed/stolen records were because of insiders
  • 112,302 exposed records were due to theft/loss
  • 178,420 exposed records were due to unidentified causes

For a better perspective, from January to December 2016, 450 incidents were reported. The rate of occurrence of data breaches is similar to last year. Although the number of reported breaches remained relatively constant, there the severity of breaches this year increased with more people affected by breaches compared to last year.

Last year, about 2 million patients were impacted by insider breaches. This year, 1.17 million people were already affected by insider breaches. Hacking incidents likewise increased. Last year, 120 were confirmed hacking breaches. This year 75 were already reported.

In June, there were 52 healthcare data breaches reported, which is the biggest total for any month this year so far . The second biggest number of breaches was 39 incidents. June likewise recorded the third largest number of persons affected by breaches, which is 729,930 records.

The time period from the occurrence of the breach to its discovery is notably bad for the healthcare sector. The mean time was 325.6 days, and the median is 53 days. Healthcare companies are not detecting breaches fast enough. Quick detection could significantly minimize the harm brought on patients and the price of mitigation.

The good news is the improvement in the time it takes to report breaches to OCR over the last 6 months. The mean time is 54.5 days while the median is 57 days. Under HIPAA rule, covered entities need to report data breaches to OCR and notify the people affected within 60 days. In June, the mean and median were within the allowed time frame.

So, what is the trend for the rest of 2017? Well, there is no indicator that there will be improvement in the remaining months of the year. The following six months may be just as bad, or even worse. In other industries, hacking/malware is the main cause of breaches but in the healthcare industry, insider incidents are the biggest concern. Healthcare companies should take action to stop these breaches. Use technologies to help stop insider breaches and identify them quickly if they occur.

People’s lives are significantly impacted by healthcare data breaches. Covered entities must do more to stop breaches and make sure they are discovered immediately. Quick discovery and notification enables patients and members of health plans to do something to minimize the damage caused.