2019: A Particularly Bad Year for Healthcare Data Breaches

Cyberattacks on healthcare organizations have continued to increase throughout the first half of 2019 and this year has seen the discovery of the second largest healthcare data breach ever reported. American Medical Collection Agency experienced a cyberattack in which the records of more than 20 million patients were exposed and potentially stolen.

It should be no surprise to hear that in terms of both the number of healthcare data breaches and the number of records exposed, 2019 is turning out to be a very bad year. An analysis of 2019 healthcare data breaches by Protenus and databreaches.net has shown just how bad 2019 has been. In the first 6 months of the year, at least 31,611,235 healthcare records were exposed or impermissibly disclosed in 285 reported data breaches.

The 2019 Breach Barometer report indicates there were 503 breaches reported in 2018 and 14,217,811 healthcare records were exposed. 2019 has therefore seen an extra 33 breaches reported and more than twice the number of healthcare records exposed as in all of 2018 and there are still 6 months of 2019 to go.

It is also worth noting that 2018 was a record-breaking year for healthcare data breaches. More data breaches were reported in 2018 than in any other year to date.

Hacking and other IT incidents accounted for 58.54% of healthcare data breaches in the first half of the year and were behind 88% of exposed records – 27,819,320 patient records. Data is not available on all reported breaches, but at least 88 incidents specifically mentioned phishing, and 27 incidents are known to have involved malware or ransomware.

20.91% of breaches were classed as insider incidents and are known to have involved at least 3,457,621 patient records, or 11% of all breached records in the first half of the year. There were 22 insider wrongdoing incidents – such as theft of PHI – and 35 insider error incidents.

9.41% of incidents were due to loss or theft of physical PHI or electronic devices containing ePHI. The cause of 11.15% of reported incidents is unknown.

Healthcare providers were the worst affected with 72% of reported breaches, followed by health plans (11%) and business associates (9%). California was the worst affected state with 26 breaches, followed by Texas with 22 and Florida with 20.

It took an average of 214 days to discover a data breach – median = 50 days – although one breach took 8.5 years to discover. HIPAA requires all covered entities to report data breaches to OCR within 60 days of the discovery of the breach. Several healthcare organizations missed the deadline. The average time to report a breach was 77 days and the median was 60 days.

The increase in both the number of healthcare data breaches and the number of records exposed shows that healthcare organizations need to improve their security posture and implement mechanisms to detect potential breaches much more quickly.

“It is critical for healthcare privacy offices to utilize healthcare compliance analytics that will allow them to audit every access to their patient data,” wrote Protenus. “Full visibility into how their data is being accessed will help healthcare organizations prevent data breaches from wreaking havoc on their organization and the patients who trust them with their personal information.”

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news