The healthcare industry has had a particularly bad first six months. The many reports of data breaches and the volume of healthcare records exposed every day are very concerning. The trend this 2019 is over one healthcare data breach per day and it even reached 2 data breaches per day in May.
Based on Protenus and Databreaches.net’s 2019 Mid-Year Data Breach Barometer Report, there were 31,611,235 breached healthcare records from January 2019 to June 2019. That is double the volume of healthcare data records exposed in 2018, which was at 14,217,811 records.
Of the 285 breaches reported in the first half of 2019, the American Medical Collection Agency (AMCA) data breach stands out. A dark net marketplace was found selling a set of stolen credentials, which was tracked back to AMCA. Only then did AMCA discover the compromise of its payment web site, which had been ongoing for months. There’s no final number of exposed healthcare records yet, but 18 clients already confirmed being impacted with over 20 million records breached.
According to the report, hacking incidents took over the first 6 months of 2019. 60% of all breaches and 88% of breached data records were the result of hacking. Here’s the breakdown of the causes of the 285 breaches:
- Hacking – 168 breaches
- Phishing – 88 breaches
- Ransomware or malware attack – 27 breaches
- A form of extortion – 1 breach
60 incidents or 20.91% of all breaches were insider breaches resulting in the exposure of 3,457,621 records or 11% of all breached records. Insider error resulted in 35% of incidents and insider wrongdoing resulted in 22% of breaches. 24 theft incidents resulted in the compromise of at least 184,932 records. 32 incidents with 142,009 exposed records still have no confirmed cause.
72% of the breaches were reported by healthcare providers, 11% by health plans, and 9% by business associates. 8% of breaches were unclassified. Although the above number of breaches is not atypical, 2019 had a lot breaches reported by business associates.
Three of the largest healthcare data breaches in the first six months of 2019 were reported by business associates. The biggest breach of the 2019 had a business associate involved. That breach also turns out to be the second biggest healthcare data breach ever. Hacking was the number one problem for business associates accounting for 45% of business associate data breaches.
Business associate Dominion National discovered its systems breach after 8.5 years. When the breach was discovered, 2,964,778 records had already been compromised. Overall, the discovery of a breach took 50 days on average. The reporting of a breach to HHS took 77 days on average with a median of 60 days.
Protenus remarks that the use of healthcare compliance analytics and patient data access audits is critical to reducing the risks across a healthcare organization and fight the challenges linked to health data security.