Following an unusually bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October according to the November 2017 Healthcare Breach Barometer Report from Protenus.
The Protenus monthly summary of healthcare data breaches collates incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents made public using media outlets and tracked by databreaches.net.
Those incidents include several HIPAA breaches that have still not been reported to OCR, including a significant breach that has impacted a minimum of 150,000 individuals – the actual number of individuals impacted will not be revealed until the investigation has come to an end. The numbers of individuals impacted by another eight HIPAA breaches have not yet been disclosed.
Including the 150,000 individuals impacted by most serious breach of the month, there were 246,246 people affected by healthcare data breaches in October 2017 – the lowest monthly overall total since May 2017.
Healthcare has, historically, recorded a higher than average number of data breaches due to internal members of staff, although over the past few months hacking has been the leading causing factor of breaches. That trend has persisted throughout October. Hacking was the cause of 35.1% of all incidents, insider incidents to blame for 29.7% of the total, with the loss and illegal theft of devices accountable for 16.2% of incidents. The causes of the remaining 18.9% of breaches has not yet been made known.
Though hacking incidents usually lead to more records being obtained or stolen, in October insider errors allowed access to more healthcare data. 65% of the total number of breached records involved insider errors.
157,737 individuals had their PHI exposed thanks to insider errors and insider wrongdoing, while hacks resulted in the illegal accessing of 56,837 individuals’ PHI. Protenus remarked that three incidents were due to the hacking group known as TheDarkOverlord.
In total, there were 11 HIPAA breaches due to insiders – five were due to errors and six were caused by insider wrongdoing. The biggest breach caused by insider error was the failure to safeguard an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – holding the PHI of at least 150,000 individuals: One of two such incidents reported during October that involved unsecured AWS S3 buckets.
Another insider incident involved the mailing of promotional material to individuals where PHI was visible through the envelope – a major breach incident that potentially caused considerable damage, as the information accessible related to patients’ HIV status.
The average length of time taken from breach to identification was 448 days in October. The median time was 304 days, showing healthcare organizations are still having trouble detecting data breaches rapidly.
Two HIPAA-covered entities submitted reports of breaches to the OCR well after the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of the reports of those incidents was reported three years after the HIPAA breach was detected. In that scenario, the breach involved a staff nurse who was accessing patient records and using the information to file false tax returns. The median time from discovery to filing a report was 59 days.
Healthcare providers submitted reports regarding 29 incidents, there were seven incidents reported by health plans, one breach was reported by a school. The involvement of a business associate was present in four incidents.
The worst hit states in October were California and Florida with four incidents apiece.