Protenus Healthcare Breach Barometer Report for January Published

The Protenus Healthcare Breach Barometer report recently published that about 473,807 patient medical records were exposed or stolen in January 2018. That figure is not yet final as 11 of the 37 breaches have yet to report the number of affected individuals. Perhaps the total number will reach half a million records.

Insiders were the top cause of healthcare data breaches in January. 32% or 12 out of the 37 healthcare data breaches were due to insiders. Nevertheless, the number of individuals affected by insider breaches was relatively low – merely 1% or 6,805 of total individuals affected by breaches in January. That figure is only for 8 of the 12 breaches due to insiders.

One notable insider breach involved a nurse who accessed the PHI of 1,309 patients over a 15-month period without proper authorization. This case showed the healthcare industry that access monitoring technology is very important to securing the privacy of patients.

Hacking/IT incidents were top two on the list of causes of data breaches in January. 30% or 11 out of the 37 breaches were due to hacking/IT incidents. The breaches affected 393,766 patients or 83% of the total number of individuals affected by breaches in January. In fact just one hacking incident compromised 279,865 patient records or 59% of all breached records.

But the final number of affected individuals is likely to go higher. One of the incidents, a ransomware attack on the EHR company Allscripts, has yet to get the exact number of compromised records. It is actually believed to be the biggest breach in January. Ransomware still creates big problems in the healthcare industry. Six of the 11 hacking/IT incidents were because of ransomware or malware attacks. Two breaches were because of phishing attacks.

Top three on the list of causes of data breaches in January were the loss or theft of electronic devices and physical records. 22% of all breaches occurred due to this cause. Two cases of lost patient records affected 10,590 persons. Four of six thefts impacted 50,929 persons. It is still unknown how many persons the two other thefts affected. There’s no information yet as to the cause of remaining 16% of the breaches in January.

Just like the previous months, healthcare providers are the major breached entities (84%), followed by business associates (5%), then health plans (3%) and other entities (8%). The median time for detecting breaches was 34 days and the average was 252 days based on the information from 11 of 37 breaches. The median time for reporting a breach from the time of discovery was 59 days and the average was 96 days. The Breach Notification Rule requires reporting of the breach within 60 days from the date of discovery. Four breached entities took more than 60 days to report with one taking over 800 days.