More Than 3.14 Million Healthcare Records Were Exposed in Q2, 2018

Protenus has released its Q2 2018 Breach Barometer Report – A summary and analysis of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and the media in Q2, 2018. The report was based on data from databreaches.net, OCR, and proprietary data collected by Protenus through its compliance and analytics platform.

The report shows there were 143 data breaches announced in Q2, 2018. Those breaches resulted in the exposure of a minimum of 3,143,642 health records – Three times the number of healthcare records exposed or stolen in Q1, 2018.

Five of the six largest healthcare data breaches of 2018 occurred in the second quarter. The biggest breach was reported by the California Department of Development Services. 582,174 records could have been viewed during an office burglary. In May, MSK Group announced that unauthorized individuals gained access to its network and potentially viewed/copied the PHI of 566,236 patients. LifeBridge Health experienced the third largest data breach of 2018. 538,127 patient records were exposed and potentially stolen as a result of a malware infection on a server where billing data and medical files were saved. In June, Oklahoma State University Center for Health Sciences announced that its computer network was hacked and 279,865 records were compromised. The sixth biggest breach was reported by Med Associates, Inc.. A desktop computer was hacked which resulted in the exposure of 276,057 patients’ PHI.

The leading cause of healthcare data breaches in Q2 of 2018 was hacking/IT incidents. The number of hacking incidents increased by 73% from 30 in quarter 1 to 52 in quarter 2.  At least 2,065,813 healthcare records were exposed or stolen in those attacks. Of these 44 breaches, ten were phishing-related incidents, 7 were ransomware/malware-related, and one involved another type of extortion.

30.99% of breaches (44) in Q2 were insider breaches. 25 breaches involved insider error and 18 breaches involved insider wrongdoing. The number of people affected by those breaches is uncertain since data was only available for 27 of the 44 incidents. Those 27 breaches affected 421,180 patients.

There were 23 incidents of theft of physical or electronic records and 23 breaches are not categorized due to a lack of information.  In total, 84% of healthcare data breaches in Q2 involved electronic records. 76.37% of reported breaches affected healthcare providers, 10.91% of breaches affected health plans, 5.45% affected business associates, and 7.27% affected other entities.

It took an average of 204 days to discover a breach with a median detection time of 18 days. The breach detection time ranged from 1 to 1,587 days. The average time to report breaches to the Office for Civil Rights was 71 days with a median time of 59 days. The state of California had the most breaches with 20 while Texas had 13.

Insider breaches remain a major concern. When healthcare records are impermissibly accessed, there is a 30% probability that the employee will violate patient privacy again within 3 months. There is a 66% probability that medical records will be impermissibly accessed again within 6 months. Discovering these privacy breaches quickly is therefore important; however, at many hospitals it can take a long time for these breaches to be discovered. Typically, one investigator keeps track of the ePHI access attempts of 4,000 employees in 2.5 hospitals on average, which is a significant burden. Data collected by Protenus suggests that 9 out of 1,000 healthcare employees will breach patient privacy. Most often, employees engage in snooping on family members’ medical records. 71.4% of cases of snooping in Q2 of 2018 involved employee viewing the medical records of family members.