The latest part of the Breach Barometer Report from Protenus demonstrates there was a three-monthly reduction in the number of healthcare data breaches compared to Q2, 2018; nevertheless, the number of healthcare files exposed, thieved or impermissibly disclosed rose in Q3.
In each quarter of 2018, the number of healthcare files exposed in data breaches has increased. Between January and March 1,129,744 healthcare files were disclosed in 110 breaches. Between April and June, 3,143,642 files were disclosed in 142 breaches, and 4,390,512 healthcare files were disclosed, thieved, or impermissibly exposed between July and September in 117 breaches.
The biggest healthcare data breach in Q3 was informed by the Iowa Health System UnityPoint Health. The breach was because of a phishing attack that saw many electronic mail accounts compromised. Those accounts had the protected health information (PHI) of over 1.4 million patients. That breach was the second phishing attack suffered by UnityPoint Health. A previous phishing attack led to the disclosure of 16,400 healthcare files.
In Q3, hacking was the prominent reason for healthcare data breaches. 51% of the 117 breaches were because of hacking and those occurrences accounted for 83% of all disclosed files in the quarter. Hacking occurrences and the number of files disclosed through hacking both rose in Q3.
23% of data breaches in Q3 (27 breaches) were because of insider unlawful activity or insider mistake, leading to the thievery/disclosure/exposure of 680,117 health files – 15% of the records disclosed in Q3. Insider unlawful activity includes thievery of data by a worker, prying on medical files, and other occurrences where insiders violated HIPAA Laws.
19 breaches were caused by insider mistake – errors made by healthcare workers that led to the disclosure or impermissible exposure of healthcare files. Insider mistakes led to the disclosure/exposure of 389,428 patient files. There were 8 occurrences involving insider unlawful activity.
Protenus has drawn attention to the substantial rise in files exposed/stolen through insider unlawful activity. In Q1, 4,597 patients were affected by insider unlawful activity, the number rose to 70,562 in Q2, and 290,689 patients were affected by insider wrongdoing occurrences in Q3.
There were 22 breaches informed in Q3 that involved paper records (19% of the total). Those occurrences saw 344,729 healthcare files disclosed.
Healthcare suppliers disclosed 86 breaches in Q3, 13 health plans informed breaches, and an additional 13 breaches were informed by business associates. 5 breaches were informed by other units. 27 incidents – 23% of the total – had some business associate involvement.
On average, it took 402 days to find data breaches. The average time to detect a breach was 51 days. One healthcare supplier took 15 years to find a worker had been retrieving healthcare files without approval. Over that time frame, the worker had seen the files of 4,686 patients without any work reason for doing so. The average time to inform breaches was 71 days and the median time was 57.5 days.
The states worst affected by healthcare data breaches in Q3 were Florida with 11 occurrences, after that California with 10, and Texas with 9 incidents.