Breached Healthcare Records Tripled in 2018
There was at least one health data breach a day and 503 health data breaches overall in 2018 according to analysis released this week.
The number of breached patient records tripled in 2018, to the tune of some 15 million patient records, according to research released this week.
Those numbers - 5,579,438 records in 2017 to 15,085,302 records in 2018 – come despite only a modest uptick in health data breaches, from 477 in 2017 to 503 in 2018.
The research, Protenus’ 2019’s Annual Breach Barometer Report, looked at healthcare data breaches reported in 2018, including information taken from the Department of Health and Human Services’ Office for Civil Rights, letters to state attorney generals, and Databreaches.net.
The numbers are about in line with research published throughout the year last year. In August the firm said there were 3.14 million patient records breached across 150 incidents in Q2 alone that year, a number which when extrapolated across a year, gets close to 15 million records.
Looking at the cause of breaches, hacking-related incidents took the cake in 2018, accounting for 44 percent of breaches, a number that correlates to a jump in incidents, 178 in 2017 to 222 in 2018. Insider theft, a topic the researchers included human error and insider wrongdoing incidents in, was still prevalent but less so than the previous year. In 2017 insiders carried out more than a third of breaches, 37 percent. In 2018 insiders committed 28 percent of breaches.
Nearly half, 49 percent, of incidents involved the disclosure of health data by a business association or third party. Family snooping remains a big issue and can cause of breaches too; 67 percent of insider breaches came as the result of family members, while snooping co-workers were responsible for 16 percent.
It should come as little surprise that healthcare providers were among the hardest hit in 2018, accounting for 353 breaches, roughly 70 percent of all breaches. 62 of the breaches were reported by health plans and 39 were reported by other entities.
Those statistics lend credence to research published last November that suggests that more protected health information (PHI) is leaked by healthcare providers, not hackers. Research carried out by Michigan State University and Johns Hopkins University found that a quarter of the cases the researchers looked at were caused by internal unauthorized access or disclosure, more than twice the amount caused by external hackers.
That's just one research paper, one that looked at breaches between October 2009 and December 2017, it should be added.
The 44 percent figure in Protenus' research accounts for 11.3 million patient records impacted by hacking in 2018, more than three times the 3.4 million compromised by hacking in 2017.
One of 2018's biggest breaches came after AccuDoc, a third party billing vendor of Atrium Health, formerly Carolinas HealthCare System, experienced a breach in September. The North Carolina-based healthcare system indirectly had the billing information of 2.65 million people compromised as a result. Insurance policy information, medical record numbers, invoice numbers, account balances and dates of service may have also been accessed.
These days, it's difficult for healthcare orgs to be completely immune from cyberattacks. A survey published (.PDF) by the Healthcare Information and Management Systems Society (HIMSS) earlier this month said that two-thirds of non-acute and vendor organizations experienced a security incident over the last 12 months. To that effect, only a small fraction of respondents, 22 percent, said they didn't experience a significant security incident during the past 12 months.
Securing a modern healthcare organization can be a challenge but is essential in order to safeguard patient data. The Office for Civil Rights at the US Department of Health and Human Services encourages organizations to perform security risk assessments to identify vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Orgs should also ensure they perform security training, phishing simulation tests, and mitigate issues inherent with legacy systems.
Implementing a data protection platform that can secure PHI, both in the cloud, on internal desktops and laptops, or network servers, can ensure data security while satisfying the requirements of today's regulatory environment.