According to the Breach Barometer report issued by Protenus, healthcare data breaches significantly increased in September 2017. Included in the report were cases of healthcare data breaches received by the Department of Health and Human Services’ Office for Civil Rights. The report also included the security incidents monitored by databreachers.net though this information is not available on the OCR ‘Wall of Shame.’
A total of 46 healthcare data breaches occurred in September. About 499,144 patients’ protected health information was exposed or stolen, although not all breach victims had been confirmed. The number of exposed or stolen healthcare records is still expected to go up as there are four breaches in September that have not yet disclosed the number of exposed patients’ PHI. September is the second worst month for healthcare data breaches this year. June is the worst with 52 data breaches reported. August is better with only 33 data breaches reported by healthcare organizations.
Healthcare data breaches are either due to hacking or insider job. In September, about 80% of the incidents involving 401,741 records are due to hacking. The hacking included seven phishing attacks, one ransomware attack and eight extortion attempts. TheDarkOverload hacking group was one of the identified culprits of extortion attempts. Insider incidents accounted for 15 of the data breaches exposing 73,926 individual PHI. There were eight insider wrong doing and six insider errors. Four were theft attempts that affected 17,295 patients. The worst reported data breach for the month of September was a ransomware attack which resulted in the inaccessibility of 128,000 individual PHI. Whether the records were accessed or stolen, the reports did not confirm.
There were 31 healthcare providers, 6 business associates of HIPAA-covered entities, 6 health plans and 3 schools involved in the data breaches. Most incidents were discovered in 6 weeks but the medial time was 38 days. There was one reported incident that took the healthcare provider 2108 days to find out that one employee was dishonestly accessing the medical records.
Most healthcare organizations complied with the HIPAA Breach Notification Rule deadline of 60 days. Only two failed to comply with this requirement. One actually took 249 days before sending notifications that risked a significant HIPAA violation penalty.