Report of Healthcare Data Breaches for August 2017

Healthcare data breaches have dropped for the 2nd month, according to the most recent Breach Barometer report from Protenus and Databreaches.net. In August, the reported healthcare data breaches were 33, 3 less than 36 incidents reported in July and 23 less than the 56 in June. Although the decline in data breaches is good, that is still about one healthcare data breach each day.

August is the second best month of the year thus far when it comes to the number of reported breaches, however it was the third worst when it comes to the number of people affected. 575,142 persons were affected by healthcare data breaches in July, with the number growing to 673,934 persons in August. That number will go up further, considering that two incidents were not listed in that total because the number of persons affected is not yet known.

The worst breach this month was submitted by Pacific Alliance Medical Center – 266,133 patients are affected by the ransomware attack, which is one of the worst attacks this year so far.

All through the year, insider incidents led the breach reports, however in July hacking topped the causes of breaches. In August, hackers still accounted for 54.5% of all data breaches. Those hacking incidents were responsible for 95% of all breached patient record. The hacking totals likewise include incidents of phishing and ransomware attacks. There were no less than five submitted data breaches in August that concerned ransomware.

In August, insiders accounted for 9 incidents, which 27.3% of the total breaches. Seven were insider errors and two were because of insider wrongdoing. 15.2% of breaches were caused by theft or loss of unencrypted gadgets that contain PHI.

Although electronic protected health information (ePHI) breaches led the breach reports, six breaches of physical records were reported, which include two mailings where PHI was seen through the envelopes’ clear plastic windows.

Protenus remarks that even though healthcare providers seem to be improving at identifying data breaches faster, the numbers for the last two months may well be inaccurate. Together with the reduction in time required to detect breaches, there was a rise in incidents of hacking, which have a tendency to be identified faster compared to insider breaches.

Protenus clarifies that  for the month of August, hacking incidents took typically 26 days (median = 22.5 days) to detect, whereas insider incidents took about 209.8 days (median = 115 days) to discover. This demonstrates the problem faced by healthcare organizations in discovering insider breaches.

Companies generally notify the HHS and patients in 60 days from the discovery of a breach, with just three companies going beyond the due date. One entity took 177 days from the time the breach was discovered to submit the report to HHS. 53 days was the average time with a median time of 58 days.

The breach reports adopted the same pattern to nearly all months, with healthcare companies encountering the bulk of breaches (72%), then health plans (18.2%). Business associates submitted 3% of breaches and 6% were submitted by other covered entities, which include one pharmacy and one private school. The worst affected state was Texas with five breaches, then California with four, while Ohio and New York had three each.