The monthly Breach Barometer Report from Protenus shows healthcare data breach reporting is improving, data breaches are down, and there was a significant reduction in healthcare data breach victims in April, 2017.
The Health Insurance Portability and Accountability Act (HIPAA) places a time limit on reporting healthcare data breaches to the HHS’ Office for Civil Rights (OCR) and sending breach notifications to patients. That time limit is 60 days from the discovery of the breach.
Healthcare organizations face fines for late breach notifications, with this year seeing the first settlement with a covered entity based solely on delayed breach notifications. OCR sent a message to healthcare organizations with that settlement. Delaying breach notifications is a serious HIPAA violation and tardiness will not be accepted. The announcement of that HIPAA penalty appears to have been a wakeup call for healthcare organizations.
However, even so, many organizations are still slow to issue breach notifications. For example, while healthcare data breach reporting has improved in recent months, the April Breach Barometer Report from Protenus shows that only 66% of healthcare organizations reported data breaches inside the Breach Notification Rule time limit.
Overall, it took an average of 59 days from the discovery of a data breach to the issuing of a breach notification to OCR in April. Last month the average time to report a breach was 45 days. In February, the average time was 478 days from discovery to reporting, although two extremely long delays skewed the averages that month.
Each month, the Breach Barometer Report provides an insight into the main causes of healthcare data breaches. While insiders have been a major cause of data breaches affecting the healthcare industry, in April it was IT incidents that were the main causes of data breaches.
IT incidents include hacking, phishing and ransomware attacks. There were three reported phishing attacks that resulted in the exposure of patients ePHI, five incidents involving ransomware with the remainder of the 16 incidents due to hacking.
Hacking was the cause of the largest healthcare data breach in April, involving the exposure and possible theft of 93,323 patient records.
In total, there were 232,060 healthcare data breach victims created in April. In March the total was in excess of 1,500,000, although a large percentage of those victims were created in a single incident.
Data breaches numbers fell from 39 incidents in March to 34 in April, with healthcare providers the worst hit, registering 79.41% of breaches. Two health plans and two business associates also reported data breaches in April.