News Feature | March 8, 2017

A Breach A Day May Keep Patients Away

Christine Kern

By Christine Kern, contributing writer

Retail Breaches

2017 has seen an average of one health data breach per day to date.

There was an average of one health data breach per day in January of 2017, and those 31 health data breaches affected 388,307 patient records according to a Protenus report. The cybersecurity firm reported 59.2 percent of the breaches, impacting 230,044 patient records, were a result of insiders, while hacking incidents accounted for 145,636 patient records compromised in January.

January also marked renewed efforts by HHS to fine organizations for late reporting of breaches, making cybersecurity an even higher priority this year for healthcare organizations. As the Protenus blog post suggests, January’s “health data breaches reinforce the importance of health data security, as the need to protect patient data from insiders continues to loom large. Healthcare organizations, more than ever, need to be proactive in discovering and reporting when a breach has occurred. This is especially the case given that HHS OCR has issued its first fine for failing to report a breach within their 60-day window.”

Data provided on HHS’ Office for Civil Rights breach disclosure website affecting 500 or more individuals shows theft/loss of laptops have declined while hacking has risen in at least the past three years.

According to Protenus, 2016 also averaged at least one health data breach a day, and while there were slightly fewer incidents disclosed in January than the 36 in December 2016 (with dramatically fewer patients affected), 2017 seems to be on track for similar yearly figures.

The data further reveals insider threats remain a serious concern with the majority of breached patient records attributable to insider incidents. Further, five of the nine insider incidents were the result of insider-wrongdoing, while four were the result of insider-error.

Hacking continues to threaten patient privacy, including an extortion demand from TheDarkOverlord. Another hacking incident disclosed in January revealed an atypical case in which an attack interfered with patient care when data was corrupted and clinics could not access data for marijuana records and prescriptions.

When it comes to the elapsed time between time of breach and HHS notifications, Protenus noted the average was 174 days, and 40 percent of reporting entities took more than 60 days to notify HHs. With the recent $475,000 fine to Presence Health HHS has sent a clear message that timely reporting is not an option, but a requirement. Last year, HHS announced that it would begin conducting on-site HIPAA audits in 2017.