2018 saw a massive increase in the number of exposed healthcare records according to the 2019 Breach Barometer report from Protenus. The report contains an analysis of 2018 healthcare data breaches that were tracked by Databreaches.net. The data include breaches reported in the media, as well as those reported to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.
According to the report, the number of healthcare data breaches increased only slightly from last year although the number of exposed healthcare records tripled. In 2018, 503 healthcare data breaches were reported compared to 477 in 2017. The number of breached records increased from 5,579,438 in 2017 to 15,085,302 in 2018.
March was the worst month of 2017 in terms of the number of records exposed and there was a general downward trend throughout the rest of the year; however, in 2018, the number of exposed records increased significantly each quarter from 1,175,804 exposed records in Q1 to 6,281,470 exposed healthcare records in Q4.
The largest data breach of 2018 was a hacking incident at a business associate of a North Carolina health system. In a period of one week, the hackers accessed the health records of 2.65 million people.
Since 2016, there has been a steady increase in hacking incidents each year. 222 hacking incidents were reported in 2018, up from 178 in 2017. In 2018, hacking incidents accounted for 44.22% of healthcare data breaches. Those breaches resulted in the theft/exposure of 11,335,514 patient records. although the number of individuals affected was only known for 180 of the 222 hacking incidents. Many of the breaches could not be accurately categorized, although those that could were largely due to phishing and ransomware/malware incidents.
Insider incidents such as human error and insider wrongdoing were behind 28.09% breaches in 2018, down from 37% of breaches in 2017. Data was obtained for 106 insider breaches in 2018. The breaches involved 2,793,607 records – 19% of all exposed records in 2018. Although the number of insider incidents fell from 176 in 2017 to 139 in 2018, the number of exposed records due to insider breaches increased year over year.
Insider errors resulted in 785,281 exposed records in 2017 and 2,056,138 exposed records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018. Loss/theft incidents were behind 14.34% of breaches in 2018. The cause of 13.35% of breaches was unknown.
Without the appropriate tools it is difficult to detect insider breaches. In one instance, a healthcare provider took 15 years discover that an employee had been snooping on patient records. Several cases took more than 4 years to discover.
The most common cause of insider breaches was snooping by family members (67.38%) and snooping by co-workers (15.81%).
In 2018 it took an average of 255 days to discover data breaches and an average of 73 days to report a breach.
Healthcare providers were the worst affected by data breaches in 2018 with 353 reported incidents (70% of all reporting entities). Business associates reported 49 incidents (10%) but were involved in 102 breaches (20%). Health plans reported 62 breaches (12%) and other entities reported 39 breaches (8%).