The latest chapter of the Protenus Healthcare Breach Barometer statement has been issued. Protenus informs that by and large, at least 473,807 patient files were stolen or exposed in January, even though the number of people affected by 11 of the 37 breaches is not yet known. The actual total is expected to be substantially higher, maybe taking the final total to over half a million files.
The statement indicates insiders are continuing to cause difficulties for healthcare companies. Insiders were the single largest reason for healthcare data breaches in January. Out of the 37 healthcare data breaches informed in January 12 were attributed to insiders – 32% of all data breaches.
Although insiders were the main reason for breaches, the occurrences affected a comparatively low number of people – only 1% of all files breached. Insiders disclosed 6,805 patient files, although figures might only be obtained for 8 of the 12 breaches. 7 occurrences were attributed to insider mistake and five were because of insider wrongdoing.
Protenus has drawn attention to one specific insider breach. A nurse was found to have accessed the health information of 1,309 patients without approval over a period of 15 months. If the healthcare business had technology in place to check for wrong access, the secrecy of hundreds of patients would not have been infringed.
The second largest reason for healthcare data breaches in January was hacking/IT occurrences. There were 11 hacking/IT occurrences informed by healthcare companies in January – 30% of all breaches. Contrary to insider incidents, these were not small breaches. They accounted for 83% of all breached files in January. One single hacking occurrence involved 279,865 files. That’s 59% of all breached files in the month.
In total, 393,766 healthcare files were exposed by hacks and other IT incidents. The final figure might be considerably higher as figures for five of those breaches have not been obtained. One of the occurrences involving an unknown number of files was the ransomware attack on the EHR Company Allscripts, which led to some of its applications being unavailable for many days. That occurrence might well be the largest breach of the month.
Ransomware attacks are still the main problem in healthcare, with six of the 11 incidents involving malware or ransomware. Phishing – the topic of February’s cybersecurity letter from the HHS’ OCR – was involved in at least two breaches.
The theft or loss of electronic appliances having ePHI or physical records accounted for 22% of the breaches. Two occurrences involving the loss of patient files impacted 10,590 people and four out of the six theft occurrences impacted 50,929 people. The number of people affected by the other two theft occurrences is not known. The reason for 16% of January’s data breaches has not yet been revealed.
The kinds of breached units followed a similar pattern to earlier months, with healthcare suppliers accounting for the majority of breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other units.
Information on the length of time it took to find breaches was only obtained for 11 of the 37 occurrences. The average time from the occurrence to detection was 34 days and the average was 252 days. The average was affected by one occurrence that took 1445 days to discover.
The average time from discovery of a breach to reporting the occurrence was 59 days; one day shy of the 60-day absolute limit of the Breach Notification Law. The average was 96 days. Four healthcare companies took longer than 60 days to report their breaches, with one taking more than 800 days.