Health Data Breaches: “The trend of at least one breach per day that began in 2016 is expected to continue in 2019.”

That’s one of the conclusions from the recent Protenus 2019 Breach Barometer report, published by healthcare compliance analytics company Protenus Inc. The report, which reviews health data breaches reported during 2018, emphasizes that organizations with Protected Health Information (PHI) still suffer from the same vulnerability areas and fall victim to the same attacks. Furthermore, the number of records impacted per breach is trending significantly upward. As of this writing, 68 breaches affecting 2.6 million records have been reported to the HHS Breach Portal during 2019. That’s more than twice as many affected records as the same period last year.

In short, the trends in the Breach Barometer suggest that the baseline risk of a health data breach is increasing across the board. Organizations with PHI – large and small – need to understand the importance of assessing and managing risks to the organization’s data.

Reviewing 2018

• The total number of breaches (503) increased slightly from 2017.
• However, breaches in 2018 affected over 15 million patient records, nearly three times the number from 2017.
• The number of breached patient records increased every quarter during 2018, as shown in the chart from Protenus below.

Key Challenges

Insiders

• Insiders accounted for 28% of the reported breaches.
• Incidents in 2018 are fewer vs. 2017, but the number of patient records affected is substantially higher.
• Insider error was a much bigger problem than insider wrongdoing, both in incident count and records affected. (See comparison below.)
• “On average, 3.86 healthcare employees breach patient privacy per every 1,000 employees.”

Hacking

• Hacking incidents accounted for 44% of the 2018 breaches.
• Hacking exposed 11 million records in 2018. That’s a huge increase compared to the 3 million records hacked in 2017.
• Phishing and other employee-targeted attacks continue to be a major problem.

Business Associates

• Business Associate breaches accounted for 5.3 million records in 2018, about one-third of the year’s total.
• This number emphasizes the importance of assessing third-party risk to an organization’s protected health information.

Paper Records

• “89 incidents involved paper records. These incidents affected 586,728 patient records.”
• Although many organizations are shifting to digital, these paper records remain an area for concern.

Incident Discovery for Health Data Breaches

• Organizations remain very slow to discover health data breaches, with a mean discovery time of 255 days. In other words, it took on average 5 months for organizations to discover they had suffered a data breach!
• The worst of these included an insider incident that took 15 years for the organization to discover. Seven other breaches had taken over four years to identify.
• On the (slightly) brighter side, the median discovery time was 28 days, so the majority of incidents were discovered in under a month.
• Hacking incidents were generally discovered quickly, while insider incidents took organizations much longer to identify. Due to resource limitations, internal audit teams are investigating only a small fraction of potential violations. This suggests that many incidents are never identified.

Takeaways

Health data breaches are growing bigger and more common. Organizations with PHI continue to suffer the same issues and make the same mistakes, year after year.

Please do not become a headline in 2019. Assess your organization’s risks this year. Take steps to address issues.  Do it for yourself, because it’s good business, and for the good of the people you serve. Don’t become a statistic in the 2020 Breach Barometer report.

Need help with a security risk analysis for your organization? At Eagle, we pride ourselves on providing a thorough, useful, and action-oriented security risk analysis for our clients. Contact us today!