Half a Million Healthcare Records Breached in January
There were at least 37 breaches that impacted the healthcare industry, affecting 473,807 patient records, in January 2018.
There were almost half a million healthcare records breached during the first month of this year and more than half of the records, nearly 60 percent, stemmed from one incident.
The numbers come via Protenus, a Baltimore-based healthcare data analytics company that regularly aggregates data breach statistics in a roundup the company calls its Breach Barometer.
The biggest incident, which affected the network at Oklahoma State University's Center for Health Sciences, occurred in November last year but wasn’t widely reported until the second week of January. The facility was forced to notify nearly 280,000 Medicaid patients after it determined an unauthorized third party had managed to gain access to folders on its network.
While the folders didn't contain actual medical records they did contain patients’ names, Medicaid numbers, healthcare provider names, dates of service, and limited treatment information.
A staggering 83 percent of those healthcare records were breached following a hack of some sort. According to the firm when it comes to classifying those hacks, the number of insider and external threats continue to run neck and neck, with 12 and 11 incidents reported respectively.
In 2017 external hacking incidents accounted for 178 data breaches, affecting 3.4 million patient records. A similar number, 176 data breaches, were caused by insider incidents, compromising 1.6 million patient records.
While the sheer number of records breached - 473,807 across 37 breaches - is intriguing, some of the stories behind the incidents are more fascinating.
One breach stemmed from a nurse inappropriately accessing records over the course of 15 months. From February 2016 to May 2017 a nurse at Palomar Health, a healthcare foundation based in Escondido, Calif. accessed records of 1,309 different patients. The facility claims the nurse didn't transfer the data but had access to patients' first and last names, dates of birth, gender, medical record number, and medications.
While the nurse didn't have access to the database that contained social security numbers, there were at least four patients whose files contained social security numbers, health insurance coverage details, and financial information.
Another breach disclosed last month took four years to come to light.
A former employee at Pediatric Endocrinology and Diabetes Specialists, a medical center in Las Vegas, walked off with data on 1021 patients, including names, dates of birth, medical record numbers, diagnosis codes, and clinical notes.
It wasn't until last month, when the facility was performing an audit of its computer logs that it discovered information had been breached. A note on the office’s site that claims the facility reported the breach to OCR (Office of Civil Rights) and that patients shouldn't worry doesn’t instill much confidence:
“We feel that you do not need to take any proactive steps to limit any harm," the note reads, "The breach was 4 years ago, and we suspect it was to take patient data for recruitment to another medical facility in Las Vegas.”
While Protenus' report gives a great month-by-month breakdown of healthcare breaches it isn't comprehensive. For many of the breaches the company only had access to details that were reported on the Department of Health and Human Services’ (HHS) public breach tool.
Last month's AllScripts incident, which saw ransomware knock 1,500 customers who use the company's electronic health record (EHR) system offline, was massive but it's unclear exactly how many patient records were ultimately affected. The outage affected the company's Professional EHR services along with the system it runs to allow the electronic prescribing of controlled substances; the system is used by 45,000 physician practices and 180,000 physicians.