Protenus has released its 2020 healthcare data breach report which shows the past 12 months have been the worst ever in terms of the number of reported breaches. For its 2020 Breach Barometer report, Protenus, in conjunction with databreaches.net, identified more than 572 healthcare data breaches of 500 or more records in 2019, up 48.6% compared to 2018. The number of data breaches affecting the healthcare industry has increased steadily since 2016 when Protenus started producing the reports, increasing from 450 breaches in 2016, to 477 in 2017, 503 in 2018, to 572 in 2019.
Out of the 572 breaches reported to the Department of Health and Human Services’ Office for Civil Rights, the media, and other sources, the number of compromised or exposed records is known for 481 incidents. Across those 481 incidents, the records of 41,404,022 patients were breached, which is more than three times the number of records breached in 2018.
As Protenus notes in its report, the total number of individuals affected is likely to be substantially higher. The 91 breaches for which figures are not known include two data breaches that affected more than 500 dental practices and clinics.
The largest data breach of the year affected a business associate of a HIPAA-covered entity, a debt recovery agency. That single breach saw the records of more than 20 million patients compromised over a period of several months. Hackers first gained access to its systems in September 2018 and continued to access those systems until March 2019.
Hacking incidents dominated the breach reports in 2019. Hacking and IT incidents accounted for 330 of the reported breaches – 58% of the year’s total. The number of hacking incidents has risen steadily since 2016 when there were just 126 hacking incidents reported. Figures were obtained for 297 hacking-related breaches in 2019, which involved 36,911,960 healthcare records. In 2018, 11,335,514 records were compromised in hacking incidents.
Phishing was the main cause of those incidents, followed by ransomware/malware attacks, and other ransom and extortion incidents. In addition to attempting to extort money from healthcare providers, ransomware gangs started stealing data prior to deploying ransomware in an effort to get the victims to pay up rather than restore their files from backups. Threats were issued to publish data if the ransom was not paid, and more than one threat group followed through on that promise. There was also once case of ransom demands being sent to the hacked entity and patients, demanding ransom payments from all to prevent the publication of their data.
The second biggest cause of healthcare data breaches in 2019 was insider breaches, which accounted for 19% of all reported breaches in 2019, down from 28% of incidents in 2019.
Data was obtained for 85% of those breaches, which involved 3,800,312 patient records, or 9% of the total for the year. 3,659,962 records were exposed as a result of insider error and 136,566 were due to insider wrongdoing (theft, snooping, etc.).
Since 2016, the number of insider breaches has fallen each year from 192 incidents in 2016 to 110 incidents in 2019, which Protenus attributes to the increased adoption of healthcare compliance analytics in health systems and improved employee education. However, the number of records exposed in those breaches has increase each year since 2015. In 2018 there were 139 insider breaches and 2,793,607 records were exposed. The 110 insider breaches in 2019 saw 3,800,312 records compromised.
The increased use of encryption has helped reduce the number of records exposed in theft incidents. In 2019, there were 43 reported theft incidents involving 370,124 records.