The 2016 healthcare data breach report from cybersecurity company Protenus shows that 2016 was a record-breaking year for healthcare data breaches. In 2016, more than one healthcare data breach occurred every day on average. Those breaches resulted in the theft or exposure of 27 million individuals’ confidential information.
In total, 450 breach incidents were reported by healthcare organizations – healthcare providers, health plans, healthcare clearinghouses, and business associates of healthcare organizations – in 2016.
Hacking incidents and ransomware attacks on healthcare organizations accounted for 26.8% of data breaches according to the 2016 healthcare data breach report.
It is difficult to determine how many healthcare ransomware attacks occurred in 2016. The Protenus 2016 healthcare data breach report indicates 30 ransomware attacks were reported. However, healthcare organizations are not required by HIPAA to report every ransomware attack, only those where there is a risk that ransomware has resulted in ePHI being accessed. HIPAA-covered entities also have up to 60 days to report data breaches. The final total for the year will undoubtedly be higher.
While the threat from hackers cannot be ignored, the biggest cause of healthcare data breaches in 2016 was insiders. Insider incidents accounted for 43% of healthcare data breaches in 2016.
Insider breaches were classed as employee wrongdoing such as data theft, snooping on patient records, or other willful breaches of healthcare data, as well as human error. There was a fairly even spread of accidental and deliberate data breaches (99/91). Insufficient data were available on the remainder of the 192 incidents to allow classification.
Insider error resulted in larger data breaches than insider wrongdoing. The average number of records exposed in accidental insider breaches was 17,642. Insider wrongdoing may involve the theft or exposure of fewer records (an average of 5,729) although the breaches often result in more financial harm being caused to breach victims.
The largest healthcare data breach of 2016 was reported by Banner Health. That breach resulted in the exposure of 3.62 million patient health records. The two worst months of the year in terms of the number of healthcare records breached were June and August, when 10,880,605 and 9,096,515 healthcare records were exposed. November was the worst month of the year in terms of the number of data breaches reported. 58 separate incidents were reported in November. The 2016 healthcare data breach report shows that an average of 37.5 breaches were reported each month.
80% of incidents were reported by healthcare providers, 10% by health plans, 6.3% by business associates of covered entities, and 4% by other entities.
The Protenus 2016 healthcare data breach report indicates breaches involving insider wrongdoing took the longest to discover – An average of 607 days. Overall, the average time to discover a healthcare data breach in 2016 was 233 days, although the average time from the breach to reporting the incident to the Department of Health and Human Services was 344 days.