Healthcare Data Breaches in September Saw Nearly 500K Files Exposed

Protenus has issued its Breach Barometer report which discloses that there was a substantial surge in healthcare data breaches in September. The report contains healthcare data breaches informed to the Division of Health and Human Services’ OCR and safety cases followed by databreaches.net. The latter has yet to show on the OCR ‘Wall of Shame.’

Altogether, Protenus/databreaches.net followed 46 healthcare data breaches in September. Although the total quantity of breach victims has not yet been verified for all cases, at least 499,144 healthcare files are acknowledged to have been stolen or exposed. The number of files stolen or exposed in four of the month’s breaches has yet to be disclosed.

The high number of cases makes September the 2nd worst month of 2017 for healthcare industry files breaches. Only June was poorer when 52 data breaches were informed. In August, 33 data breaches were informed by healthcare companies.

The information verifies the worst case of the month was an illegal computer software attack that saw the records of 128,000 individuals made inaccessible. It’s unknown if those files were stolen or accessed.

The main reasons for healthcare data breaches in September were hacking (50%) as well as insiders (32.6%). The hacking aggregate contains blackmail attempts by TheDarkOverlord hacking group, ransomware cases, and malware attacks. Hacking cases formed 80% of breached files for the month – 401,741 files – even though figures for 4 of the cases haven’t yet been disclosed. The hacking cases in September contained one verified ransomware case, eight coercion attempts, and seven phishing attacks.

The 15 insider cases led to the exposure of 73,926 files. Those cases comprised six insider mistakes and eight cases of insider wrongdoing. Four thievery cases were informed which affected 17,295 patients.

The breaches happened at 31 healthcare suppliers, 6 health campaigns, 6 business companions of HIPAA-covered units, and 3 institutes, with California the worst impacted with 5 cases.

While most healthcare companies noticed their data breaches within 6 weeks – the medial period for detection was 38 days – it required one healthcare supplier 2108 days to discover that one of its employees had been improperly accessing medical records.

Most healthcare companies informed their breaches within the HIPAA Breach Notification Rule deadline of 60 days, though there were two exemptions. One healthcare company required 249 days to inform its breach, endangering a substantial HIPAA violation penalty.