More Than 3M Records Exposed in Q2 2018 Healthcare Data Breaches

A recent study conducted by The Harris Poll on behalf of Scout, a healthcare marketing firm, uncovered some interesting statistics about healthcare data security and public perception. It determined that out of 2,000 US adults, about half are extremely or very concerned about the security of their healthcare data.

Another study, conducted by Protenus Breach Barometer, found that in the second quarter of 2018, from April to June, more than 3.15 million patient records were compromised across a total of 142 healthcare data breaches. The report reinforces the need for strong security measures in the healthcare system, concluding that healthcare organizations must maintain vigilance and be constantly on the lookout for best practices in healthcare privacy.

Examining The Data

Protenus Breach Barometer joined forces with Databreaches.com to gather data from a number of sources, including press reports, HHS, and nonpublic data from Protenus’ AI platform. According to incidents reported to the HHS or by the media, 31% of these breaches were executed by insiders.

According to the report published by Protenus, it’s believed that an individual healthcare employee who has breached patient privacy once is more than 30 percent more likely to repeat the offense within a three-month time frame. The chances that the employee will do so again within one year rises to more than 66%. Therefore, a delay in identifying and reporting these offenses is further putting institutions at risk.

The company estimated that out of 1,000 healthcare employees, more than nine are responsible for breaching patient privacy — an estimate up from five employees in the previous quarter.

One of the most common insider-related data breaches was family snooping, which accounted for a whopping 71% of the reported privacy violations. This number is down from 77 during Q1 of 2018.

According to the report, it can take organizations, on average, 204 days to identify a breach once it has occurred. Out of 61 incidents in which data was disclosed, the average time between when a data breach is identified, to the time it is reported to HHS or other sources, is 71 days. According to HHS requirements, a healthcare organization must report a breach involving 500 or more individuals no later than 60 days of discovery of the breach. Coincidentally, the largest gaps between the occurrence of the breach and discovery were reported with insider-related cases.

Out of the 143 healthcare data breaches disclosed, healthcare providers reported 99 of them, whereas 15 of them were disclosed by an insurance company or health plan. Business associates and third-party vendors were responsible for disclosing 18 of the cases, and ten were reported by other organizations.

It’s well known that healthcare security teams are lacking in manpower. It was reported that in hospital teams responsible for identifying insider threats, one investigator may be responsible for monitoring nearly 4,000 employees on average. This individual is responsible for 2.5 hospitals and handles a median of 25 cases.

With cyber threats on the rise within the industry, it’s vital that healthcare organizations do more to more to protect patient data. Thirty-eight states were included in the report’s 142 disclosed health data breaches. Out of these, California was responsible for the largest number of data breaches, with 20 incidents. Texas reported 13 incidents, ranking it the second highest.

The Rise Of Healthcare Hacking

Cyber threats are common in the digital world, but the stakes are particularly high in healthcare systems. According to the report, healthcare hacking accounted for 52 data breaches in Q2, which is a figure up from 30 during Q1.

Forty-four of these hacking incidents affected 2,065,813 patient records, with seven of them involving malware or ransomware. Ten hacking incidents mentioned a phishing attack.

In addition to phishing, malware, and ransomware, 23 incidents of those reported were related to theft. More than 600,000 patient records were compromised, with data disclosed for 19 of the 23 incidents.

Healthcare Hacking Prevention Tactics

There are some actions healthcare organizations can take to ensure they are keeping up with best practices in patient record security. The most important action to take is to perform an organization-wide risk analysis that covers all devices that contain ePHI or systems and devices that may be used to access PHI. Once this is performed, organizations can put into action a risk management plan that addresses and reduces all identified vulnerabilities.

It’s also important for healthcare organizations to keep up-to-date with the latest in equipment and regulations. All software systems should be maintained properly, with encryptions and backups implemented accordingly to protect patient information to the fullest extent. According to HIPAA, a good strategy for patient information backup is the 3-2-1 approach, which calls for at least three copies of data, across two different media, with one of these copies stored securely off-site.

Healthcare organizations may also do well to consider teaming up with threat intelligence organizations to keep privy about newly discovered threats and vulnerabilities. All of these steps combined can form a strong line of defense against healthcare hacking.