For the first quarter of 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) received 77 reports of healthcare data breaches. Over one million patients and health plan members were affected by the breaches. This figure is twice the number of persons affected by healthcare data breaches in Q4 of 2017.
The number of reported data breaches went down by 10.5% quarter over quarter. However, the breaches were more severe. Mean breach size went up by 130.5% and median breach size went up by 15.37%. The mean breach size in Q1 2018 was 13,945 records compared to 6,048 in Q4 2017. The median breach size in Q1 2018 was 1,922 records compared to 1,666 in Q4 2017. Breaches in Q1 2018 affected the PHI of 1,073,766 people compared to 50,141 people in Q4 2017.
In 2017, there were more than one healthcare data breaches happening per day. January 2018 was relatively a good month with only 22 data breaches reported. But the largest data breach of the quarter happened in January with about 280,000 records exposed because of hacking. The number of reported data breaches increased from month to month in Q1 2018. The typical rate of breach reports is one per day.
The major cause of healthcare data breaches for Q1 2018 is still insiders. 35 incidents (45.45% of total breaches) were due to unauthorized access/disclosures. 15 incidents were due to loss or theft of electronic devices with ePHI. Although there were more incidents caused by unauthorized access/disclosure, hacking/IT incidents caused the exposure of more healthcare records.
Physical records still topped the location of PHI breaches in Q1 2018. Next is email because of the increase in social engineering, misdirected emails and phishing attacks. The last location is network servers.
In Q1 2018, 18 healthcare data breaches affected over 10,000 persons. Although hacking/IT incidents are usually the causes of large-scale data breaches, this time several were due to unauthorized access/disclosure, which includes five of the top 10 big breaches of the quarter. Two of the largest breaches so far this year are the incidents at Oklahoma State University Center for Health Sciences and St. Peter’s Surgery & Endoscopy Center. The top 5 largest breaches this quarter resulted to the exposure of 57% of all records in the same time period. The top 18 breaches of the quarter had 87% of all records exposed.
Healthcare providers had the most number of data breaches in Q1 2018 followed by health plans and then business associates. Healthcare organizations from the 35 states submitted breach reports that affected more than 500 records. California had 11 breach reports while Massachusetts had 8. Missouri and New York had 4 while Florida, Illinois, Mississippi, Maryland, Wisconsin and Tennessee each reported 3 breaches. Alabama, Arkansas, Rhode Island, Kentucky, Texas and Wyoming each reported 2 breaches. Only one breach was reported from Colorado, District of Columbia, Connecticut, Georgia, Maine, Minnesota, Michigan, Iowa, North Carolina, New Mexico, New Jersey, Nevada, Oklahoma, Ohio, Pennsylvania, Virginia, Utah, Washington and West Virginia.