The latest report of the Breach Barometer from Protenus/Databreaches.net Healthcare shows that data violations have dropped for the second consecutive month, according to . In August, there were 33 reported healthcare data violations, down from 36 incidents in July and 56 in June. While the drop int he number of data breaches is encouraging, that is still more than one healthcare data breach per day.
While it was the second best month of the year so for in terms of the number of reported incidents, it was the third worst in terms of the number of individuals impacted. 575,142 people were impacted by healthcare data breaches in July, with the figure rising to 673,934 individuals in August. That figure will rise even more as two incidents were not included in that total since it is not yet known how many individuals have had their data violated.
The worst incident experienced during the month was reported by Pacific Alliance Medical Center – A ransomware attack that impacted 266,133 patients – one of the worst ransomware incidents of the 2017 so far.
During 2017, insider incidents have featured heavily in the breach reports, although in July hacking was the biggest cause of PHI breaches. That trend has remained consistent in August with hackers responsible for 54.5% of all reported data breaches. Those incidents make up 95% of all breached patient records in the month. The hacking totals also include phishing and ransomware attacks. There were at least five reported data violations in August that involved ransomware.
In August, insiders were to blame for nine incidents – 27.3% of the total – seven of which were insider mistakes, with two incidents due to insider wrongdoing. 15.2% of breaches were caused by the loss or theft of unencrypted devices containing PHI.
While violations of electronic protected health information dominated the breach reports, there were six incidents reported that included physical records, including two mailings in which PHI was visible through the clear plastic windows of the envelopes.
Protenus says that while healthcare organizations appear to be improving at discovering data breaches more quickly, the figures for the past two months may not reflect reality. Alongside the decrease in time taken to identify breaches there has been an increase in hacking attacks, which tend to be identified faster than insider breaches.
Protenus remarked: “For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days),” demonstrating the difficulty healthcare organizations have in detecting insider violations.
Organizations are making breaches known to HHS and alerting patients within 60 days of the discovery of a breach on the whole, with only three organizations exceeding the deadline. One of those bodies took 177 days from the discovery of the breach to report the incident to HHS. The average reporting time was 53 days and the median time was 58 days.
The breach reports maintained a similar pattern to most months, with healthcare providers suffering the majority of breaches (72%), followed by health plans (18.2%). Business associates reported 3% of breaches and 6% were reported by other bodies, including a pharmacy and a private educational institute. Texas was the worst hit state in August with five violations, followed closely by California with four, and Ohio and New York with three each.