The healthcare data breach report for January 2017 published by Protenus this week highlights the danger of insider data breaches. Insider data breaches accounted for the largest percentage of healthcare data breaches disclosed in January 2017, considerably more than those caused by hackers.
Summary of the Protenus Healthcare Data Breach Report for January 2017
In January 2017, 31 healthcare data breaches were disclosed publicly. While the causes for all of those breaches are not yet known – details of 26 breaches have yet to be disclosed – 58.4% were due to insiders. Those breaches accounted for 59.2% of the 388,307 records known to have been exposed in those 31 healthcare data breaches in January 2017.
The insider threat is perhaps the hardest to mitigate, yet the risk posed by malicious insiders and negligent employees is considerable. In January 2017, four incidents (for which data have been obtained) were the result of insider wrongdoing and four were the result of errors by healthcare employees. Insider wrongdoing exposed 226,798 healthcare records while employee errors resulted in the exposure of 3,246 records.
While insiders were behind the majority of breaches, ‘hacking’ was the second biggest cause of exposed or stolen data. In total, 12 healthcare data breaches in January 2017 were attributed to hackers or IT incidents. Those incidents resulted in the exposure of 145,636 healthcare records. While data theft and extortion accounted for most of those incidents, the total also included phishing attacks on healthcare providers.
Loss and theft of unencrypted devices and physical records accounted for 22.6% of the monthly total and 6,162 healthcare records.
While healthcare organizations are focussed on preventing breaches of electronic protected health information, it is important not to ignore physical records and documents containing PHI. 5 of the 31 breaches disclosed in January 2017 involved physical records.
As has been the case in the past few months, healthcare providers experienced the most breaches. There were 25 healthcare provider-reported breaches in January, four incidents involving health plans, and two incidents attributed to business associates/third parties.
Due to the number of healthcare organizations operating in California and it being the most populous state, it is unsurprising that the state was top of the list for healthcare data breaches in January once again. 6 breaches impacted Californian organizations, with the remaining breaches spread across 21 states. Maryland was the second worst affected state with 3 breaches disclosed in January.
The healthcare data breach report for January 2017 also highlights what appears to be a growing problem – the delayed issuing of breach notifications. In January, 40% of breaches were reported outside the time frame required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule. Only last month, the Department of Health and Human Services’ Office for Civil Rights settled with a covered entity – Presense Health – for delaying the issuing of breath notifications by one month. A payment of $475,000 was made to resolve the HIPAA violations.
The healthcare data breach report for January 2017 shows the average time between the breach occurring and OCR being notified was 174 days, while the time between the breach and discovery took an average of 123.5 days.