53% Of Healthcare Data Breaches Because of Insiders and Carelessness

November 27, 2018


The healthcare industry has had more than its reasonable share of hacking occurrences, however, the biggest threat comes from within. The actions of healthcare suppliers, health underwriters, and their workers cause more breaches than hacks, malware, and ransomware attacks.

Scientists at Michigan State University and Johns Hopkins University studied data breaches reported to the Division of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and observed that over half of breaches were the result of internal carelessness.

The research study, which was lately printed in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the danger of hospital data breaches and the kinds of hospitals that were most susceptible to data breaches. Although the earlier research cast light on which hospitals were most susceptible, little information was obtainable on the main reasons of the breaches. The latest study tackles that gap in knowledge.

The scientists carried out a retrospective study of the 1,183 healthcare data breaches informed to OCR between October 21, 2009 and December 31, 2017. Those breaches led to the disclosure of 164 million healthcare files.

The analysis was restricted to breaches of 500 or more files, as OCR doesn’t publish synopses of smaller breaches. The breach reports divide data breaches into six groups; hacking/IT occurrences, illegal access/disclosure occurrences, theft, loss, improper disposal, and unknown. 77.6% of breaches were accurately categorized and 22.24% were misclassified or the cause was not known.

The scientists found that theft of data by third-parties or unknown people was the single prominent breach reason, accounting for 32.5% of occurrences, with mailing mistakes in second place (10.5%), followed by theft by existing or previous workers (9%). Internal/external hacking occurrences accounted for about 20% of breaches, even though those occurrences involved 133.8 million of the 164 million compromised records. 53% of all breaches were found to have initiated from inside healthcare companies.

“One-quarter of all the instances were caused by illegal access or disclosure – more than twice the quantity that was caused by outer hackers,” said Xuefeng Liang, associate professor of accounting and information systems at MSU’s Eli Broad College of Business and main author of the report. “This might be a worker taking PHI home or forwarding to a private account or appliance, retrieving data without permission, or even through electronic mail errors, like sending to the wrong receivers, copying rather than blind copying or sharing unencrypted matter.”

A study of the place of breached PHI demonstrated 46.1% of breaches involved moveable appliances, paper records were involved in 28.7% of breaches and 29.3% of breaches involved network servers.

Usually, the actions taken by healthcare companies post-breach were the use of encryption software, limiting the use of moveable appliances, changing to digital records, improving physical safety, reinforcing firewalls and other cybersecurity defenses, and increasing checking and auditing.

Although several breaches involve little danger to patients – the unintentional revelation of a name and address to another patient – the results of some breaches can be harsh: For patients as well as the breached unit. Anthem Inc’s 78.8 million record breach in 2015 was used as an instance. Several breach sufferers had tax returns filed in their names, leading to financial losses.

In addition to the substantial cost of alleviating the breach – improving cybersecurity safeguards; appointing forensic detectives, cybersecurity experts, and legal consultants; printing and mailing notification letters; providing credit checking facilities for breach sufferers – Anthem had to cover the cost of defending several class action court cases, which were eventually resolved for $115 million. Anthem has also lately been penalized $16 million by OCR to settle the HIPAA violations uncovered during its breach inquiry. Anthem’s status has also been stained by the breach, the cost of which is tough to compute.

The conclusions of the study are significant. “Healthcare units must know the reasons of PHI breaches if they aim to effectively control the trade-off between wider access or higher efficiency and more safety,” clarified the scientists in the paper.