Protenus has released its mid-year healthcare data breach report. The Breach Barometer reports chart the data breaches experienced by healthcare organizations each month and include data from the Office for Civil Rights and other verified sources. The mid-year data breach report is a summary of all breaches reported between January and June 2017.
The mid-year healthcare data breach report shows that while the number of data breaches being reported has remained fairly constant year over year, the number of individuals impacted by healthcare breaches has increased. 223 incidents were reported between January and June. Last year, 450 incidents were reported between January and December. This year looks set to be just as bad, if not worse, than 2016.
The mid-year healthcare data breach report shows 3,159,236 individuals have had their protected health information exposed or stolen in the first six months of the year. One incident resulted in the theft of 697,800 records by an insider – the largest reported breach of the year to date.
The biggest single cause of healthcare data breaches so far in 2017 is insiders – both malicious actions such as data theft and unintentional breaches such as misdirected faxes and database misconfigurations. Insiders were responsible for 41% of breaches and the exposure of almost 1.17 million healthcare records.
96 incidents were caused by insiders, 57 of which were due to errors and 36 were due to insider wrongdoing. Those incidents resulted in the exposure of 423,000 and 743,665 records respectively. To put those figures in perspective, the total from January to December 2016 was 2 million records. Insider data breaches are clearly becoming an even bigger problem.
The second biggest cause of healthcare data breaches was hacking, which includes malware and ransomware attacks. Hacking has increase in 2017. Between January and June there were 75 confirmed cases of hacking, accounting for 32% of the total incidents. Those incidents affected 1,684,904 individuals. In 2016, there were 120 hacking incidents reported in the entire year.
In third place with 18% of incidents was the loss or theft of physical PHI and portable devices, which resulted in the exposure of 112,302 records. 9% of breaches – affecting 178,420 individuals – could not be classified based on the information available.
Healthcare organizations are particularly slow at detecting data breaches. The median time from breach to discovery was 53 days, although the mean was an astonishing 325.6 days. Fortunately, healthcare organizations are now much better at reporting breaches to OCR and notifying patients. The mean time to report was 54.5 days with a median time of 57 days.
The data for the mid-year healthcare data breach report was provided by databreaches.net. Databreaches.net ‘s Dissent said 2017 has been “no good, horrible, very bad year.” Unfortunately, there are no signs that the year will improve, in fact June’s figures suggest it could get much worse. June saw 52 data breaches reported, the most incidents reported in any month so far in 2017.