Protenus published its summary and analysis of 2017’s healthcare data breaches using data from Databreaches.net. Databreaches.net collected all the healthcare data breaches submitted to OCR, the media plus other sources in 2017. So, what are the highlights of the report?
We did not see any million-record breaches in 2017 as what happened in 2015 and 2016. The largest data breach in 2017 impacted 697,800 records. It was an incident involving a healthcare employee who downloaded PHI to a CD and USB drive. But there were more than one data breach occurring per day. The report listed 477 healthcare data breaches in 2017. The details of all the breaches are not known yet. The same is true for the exact number of patient records exposed. 2016 had 450 incidents. 2017 just had 6% more. But the difference in the number of records exposed/stolen is huge. There were 27,314,647 exposed records in 2016 and only 5,579,438 records in 2017.
The two main causes of data breaches in 2017 are hacking/IT incidents and insider incidents. There were 178 hacking/IT incidents exposing 3,436,743 records. 120 hacking incidents occurred in 2016 exposing 23,695,069 records. The hacking incidents are less severe in 2017 but more numerous.
The reason for the increase in breach incidents is the increase in ransomware/malware attacks reported. This was triggered by the OCR’s issuance of guidance that ransomware attacks are security incidents that must be reported under HIPAA Rules. Before this guidance, healthcare providers did not report ransomware attacks if there’s no evidence that data was stolen or accessed.
There were 176 insider incidents that happened in 2017. 143 of the 176 incidents exposed 1,682,836 records. Compared to 2016, there were 192 insider incidents exposing 2,000,262 records. The numbers were obviously higher in 2016.
Insider incidents were either insider error or insider wrongdoing. Insider errors are mistakes that healthcare employees did that resulted in data exposure. Insider wrongdoings could be theft or snooping. There were 102 insider errors and 70 wrongdoings. It’s difficult to get rid of PHI theft by employees but with more organizations implementing encryption of devices, incidents declined.
Of the 477 breaches in 2017, 379 were reported by healthcare providers, 56 by health plans, and 23 by business associates. Breaches were reported from 47 states. Hawaii, New Mexico and Idaho did not have any breach incidents. California had the most number of breaches at 57. Texas is second at 40 and Florida is third at 31.
This year the average time to discover a breach is 308 days. It’s slower this year than last year. The average time to report a breach this year is 73 days. Last year was slower at 344 days. The faster reporting time must be because of the case of Presense Health. OCR penalized Presense Health for delaying breach notifications.
Overall, 2017 was a good year for the healthcare industry in certain areas. But there’s still room for improvement.