The number of healthcare data breach incidents was particularly high in September. In the November 2017 healthcare Breach Barometer Report by Protenus, the number was more typical with 37 breach incidents in October. The data breaches included in the report are those reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and those tracked by databreaches.net and the media.
The report did not include several breach incidents yet including a big one that impacted about 150,000 persons. The number of persons impacted by 8 breaches is not yet included as well. It is estimated that there were 246,246 persons victimized by the healthcare data breaches in October 2017. That number is actually the lowest in a month since May 2017.
In the past few months, leading cause of breaches is hacking. It still holds true for October. 35% of all incidents were due to hacking, 29% were insider incidents and 16% were loss or theft of devices. The remaining 20% are of unknown causes.
Hacking incidents are usually associated with more exposed or stolen records, but in October, insider errors resulted in more healthcare data exposed. 157,727 persons’ PHI were exposed due to insider errors while 56,837 persons’ PHI were exposed due to hacks. Three incidents were attributed to TheDarkOverload hacking group.
A total of 11 breaches were due to insiders – five errors and six wrongdoings. The biggest breach was the error in securing an AWS S3 bucket that exposed 316,363 PDF reports having the PHI of 150,000 persons. Two incidents in October involved unsecured AWS S3 buckets. Another insider incident was the mailing of flyers. PHI related to patients’ HIV status was visible through the mailing envelope.
It took 448 days on average for breach incidents in October to be discovered. The median time was 304 days indicating the struggle in quickly discovering data breaches. On the other hand, the median time from breach discovery to reporting to OCR was 59 days. There were two HIPAA-covered entities that took more than 60 days to report breaches to OCR, which breaks the HIPAA Breach Notification Rule. One of the breach incidents involved a nurse stealing patients’ records for falsifying tax returns.
Of the 37 healthcare breach reports, 29 were from healthcare providers, 7 from health plans and one from a school. Four involved a business associate. The worst hit states in October were California, Florida, Texas and New York.