A Q3 2018 healthcare data breach report from Protenus shows there has been a significant reduction in healthcare data breaches compared to the previous quarter. In Q2, 142 healthcare organizations reported data breaches compared to 117 in Q3.
However, due to some large breaches in Q3, the total number of exposed records was substantially higher. Between July and September, the health records of 4,390,512 patients were exposed, impermissibly disclosed, or stolen compared to 3,143,642 healthcare records in Q2. Each quarter in 2018, the number of exposed records has increased substantially.
The large increase in exposed records in Q3 is partly due to a massive data breach at UnityPoint Health that was disclosed in July. In that single breach, more records were exposed than in the 110 healthcare data breaches in Q1, 2018. The breach was a phishing attack that saw several UnityPoint Health email accounts compromised. Those accounts contained the PHI of 1.4 million patients. The largest healthcare data breach in August was a hacking incident at a healthcare vendor that resulted in the exposure of 502,416 records. The largest breach in September was reported by a health plan and impacted 26,942 plan members.
Hacking and other IT incidents accounted for 51.28% of all data breaches in Q3. The second biggest cause of breaches was insider incidents (23.08%), followed by loss/theft incidents (10.26%). The cause of 15.38% of breaches in Q3 is not clear.
Hacks and IT incidents also resulted in the highest number of exposed/stolen healthcare records – 86% of all breached records in Q3. 3,649,149 records were compromised in the 60 incidents attributed to hacks and IT incidents. There were 8 reported ransomware/malware attacks and 10 incidents involving phishing. It was not possible to determine the exact cause of 18 ‘hacking’ incidents.
Q3 saw an increase in insider breaches. Insider breaches were split into two categories: insider errors and insider wrongdoing. Insider wrongdoing includes impermissible disclosures of PHI, employees snooping on medical records, and theft of healthcare records by employees. Insider breaches resulted in the theft, exposure, or impermissible disclosure of 680,117 patient records.
19 incidents were classed as insider errors and affected 389,428 patients. There were 8 confirmed cases of insider wrongdoing that affected 290,689 patients – which is a major increase from the 70,562 patients affected by insider wrongdoing incidents in Q2, and the 4,597 patients affected by similar incidents in Q1.
In Q3, 19% of breaches involved paper records and 81% involved electronic medical records.
Healthcare providers suffered the most breaches in Q3 (74% of breaches), followed health plans (11%) and business associates (11%). 23% of the quarter’s breaches had some business associate involvement.
The report reveals that healthcare organizations and their vendors are slow to detect breaches. In one case, it took a healthcare provider 15 years to discover that an employee had been snooping on healthcare records. In those 15 years, the employee impermissibly accessed the records of thousands of patients.
The average time to detect a breach was 402 days and the median time was 51 days. The average time to report breaches was 71 days and the median time was 57.5 days.
Florida was the state worst affected by healthcare data breaches in Q3 with 11 incidents, followed by California on 10 and Texas on 9.