Protenus has released its October Breach Barometer – a snapshot of healthcare data breaches that were reported last month. The report is a useful tool for tracking data security incidents and gives some insight into the main causes of healthcare data breaches in the United States.
In the first half of the year healthcare data breaches increased steadily rising to a high of 42 incidents in August. In September, healthcare data breaches fell to 37 incidents and the downward trend has continued into October. 35 breaches were reported by healthcare organizations last month. While this is certainly a step in the right direction, the month’s total is still considerably higher than the first six months of 2016, when the average number of healthcare data breaches per month was a little over 25.
The number of breaches is decreasing, although the number of people impacted by those incidents has increased. In September, 246,876 individuals were impacted by healthcare data breaches. In October, the victim count was 776,533, although this is considerably lower that August when 8,804,608 records were exposed.
The main causes of healthcare data breaches in October were hacking, malware and ransomware. In total, 14 incidents – 40% of the month’s data breaches – were caused by hackers or involved ransomware or other malware. Four organizations reported ransomware attacks in October, three of which involved data loss. The incidents show that while backups can be used to recover data in the event of a ransomware attack, restoring files from backups is not always possible. Two organizations lost data while trying to restore files from backups, while one organization reported data loss due to a ransomware incident.
Two further attacks were conducted by a hacker operating under the name The Dark Overlord. The hacker infiltrated two healthcare organizations’ systems and stole patient data. A demand for payment was then issued to prevent the data from being listed for sale or published. There is no indication that either organization made any payment to the hacker. At present, the incidents have not been reported to the Department of Health and Human Services’ Office for Civil Rights so it is unclear how many individuals have been impacted.
Insider incidents were also a major cause of healthcare data breaches in October. 37% of incidents were caused by accidental or deliberate breaches by insiders. The October Breach Barometer report indicates 8 breaches were the result of insider wrongdoing and five incidents were accidental.
6% of reported incidents involved the loss/theft of unencrypted devices, while the cause of 17% of reported breaches is currently unknown.
Last month, Protenus discovered it took an average of 151 days from the time of the breach to the Office for Civil Rights being notified. This month, the average time to notify OCR had fallen to 63 days. Rapid identification of breaches is important. The sooner a breach is discovered, the easier it is to limit the harm caused.