This year has seen healthcare data breaches remain steady for the first couple of months, although March saw the number of incidents rise and the severity of those incidents also increase. In January and February, 31 incidents occurred each month. In March, there were 39 reported incidents, according to the latest Breach Barometer healthcare data breach report from Protenus.
The number of records exposed or stolen in those attacks increased sharply, with more than two and a half times as many individuals impacted by data breaches in March than were affected by the healthcare data breaches in January and February combined. There was one massive data breach reported that affected 697,000 patients. That incident involved the theft of a device containing electronic protected health information.
The biggest cause of data breaches affecting the healthcare industry last month was insiders, although those breaches affected relatively few patients. Just 179,381 individuals were impacted by insider breaches, even though the incidents accounted for 44% of the month’s total. Those incidents were split as 10 being the result of errors and 7 being caused by malicious insiders.
Hacking was the second biggest cause of breaches in March, with 11 incidents or 28% of the total. Those incidents resulted in the exposure of a considerable number of the month’s exposed records – more than 600,000. Hacking was followed by theft. Theft incidents caused the exposure or theft of the most records – 737,131, although theft accounted for just 21% of the month’s total number of incidents.
In January, 82% of reported data breaches involved third parties. The number fell to 21% in February, and further still in March. Last month only 3% of the month’s reported breaches involved third parties.
In February, there was a major jump in the average time from the discovery of a breach to a report being submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR). In February, it took an average of 478 for the report to be submitted. This month, healthcare organizations took less time to issue the notifications – an average of 45 days. Well inside the 60-day HIPAA Breach Notification Rule deadline. This year’s HIPAA settlement for a breach notification delay may well have played a part in the faster reporting times.
In March, Texas was the worst affected state with 6 reported breaches. California, which usually tops the list, only had one breach.
Healthcare providers reported the majority of data breaches (84.6%), 10.3% affected health plans, and 2.6% – one breach – was reported by a HIPAA business associate.