Data breaches compromised 15.1M patient records last year
- Data breaches continued to hound the healthcare industry in 2018, with 503 incidents affecting nearly 15.1 million patient records, according to Protenus' latest breach barometer report. The number of affected records was up sharply from 2017, when 477 breaches affected 5.6 million records.
- The largest breach involved North Carolina-based Atrium Health, which had its system hacked by a business associate, compromising 2.65 million patient records. The affected information included social security numbers.
- Insiders were responsible for 139 breaches last year, down from 176 in 2017. Of those, 94 involved insider error and 45 involved insider wrongdoing.
Breaches cost healthcare organizations more than lost revenue from service interruptions and potential HIPAA fines, though those can be hefty. They can also harm brand image and cause customers to take their business and medical care elsewhere.
Yet security vulnerabilities of EHRs and insufficient funding for cybersecurity continue to put many health systems and other organizations at risk — often from their own employees.
According to a JAMA Internal Medicine research letter published in November, more than half (53%) of 1,138 data breaches the researchers analyzed originated inside the organization.
Protenus cites one case last year where a medical assistant printed patient profiles and gave the information to people who used them to commit crimes. The medical assistant allegedly racked up more than $33,000 in fraudulent unemployment benefits before getting caught.
Roughly two-thirds of insider breaches (67.4%) involved snooping on a family member, and more than half (51%) were repeat offenders.
Insider breaches can be especially hard to detect because employees often have legitimate access to systems and patient records, the report notes. The longest breach occurred over 15 years at VCU Health System in Richmond, Virginia. Several more took more than four years to discover.
On average, it took organizations 255 days to detect a breach, down from 308 days in 2017.
The number of hacking incidents climbed to 222 last year, up from 178 the prior year. There were also 61 breaches due to theft and 67 that could not be categorized.
Overall, providers reported 70% of health data breaches, health plans 12%, business associates/vendors 10%, and other 8%.
Protenus predicts the trend of one breach per day begun in 2016 will continue this year, with a likely uptick in incidents reported to HHS.
"The industry is getting better at breach detection by using advanced analytics to reduce overall risk to their organization, but phishing techniques are of concern and seem to be increasingly popular with hackers," according to the report. "Hospital employee education and training to detect and not fall victim to these attacks will be imperative to get ahead of the hacking incidents currently plaguing healthcare."
Only two states — Delaware and South Dakota — managed to escape any breaches in 2018. California experienced the most with 63, followed by Texas (38) and Florida (31).