- Almost 32 million patient records were breached in the first half of 2019 — more than double the records breached over the entire 2018 calendar year, according to the latest breach barometer report from IT security firm Protenus. Last year saw breaches of more than 15 million patient records.
- The number of disclosed incidents also rose in the first half of the year, with 285 breaches reported between January and June.
- There has been at least one health data breach a day since 2016, with the clear majority in the first half of this year (59%) due to hacking. Insider error or wrongdoing contributed to 21% of the breaches, loss or theft to 9% and the remainder's causes were unknown.
As HHS pushes for the free, unfettered flow of data across the health ecosystem, patients are increasingly demanding access to their personal records and third-party tools are cropping up to fill the need.
Breach activity has waxed and waned throughout the year, with 41 in January, 38 in February, 43 in March, 57 in April, 67 in May and 39 in June. The spike in May correlated with 21 million breached patient records, roughly 10 times higher than other months.
The single largest data breach in the first half of the year stemmed from a hack of American Medical Collection Agency, a major collections agency working for companies such as Quest Diagnostics and LabCorp. More than 20 million patient records were breached, with hackers gaining access in some cases to highly sensitive medical information. Patient data was even found up for sale on the dark web.
The scale and severity of the breach, indicative of a much larger issue for the healthcare industry, could lead to increased political and regulatory oversight. State and federal lawmakers have already begun to dig into the issue, with two U.S. senators (including presidential hopeful Cory Booker, D-N.J.) sending a letter to New Jersey-based Quest inquiring into the cause of the breach, and how it went unnoticed.
The AMCA debacle "contributes significantly to this sharp increase in affected patient records and is an unfortunate example of the damage that can be done by hacking incidents that remain undiscovered over long periods of time," Protenus said.
The large majority of overall breaches (72%) occurred in the provider setting, Protenus found. That's 205 breaches, compared to the 32 in a health plan, the 26 in a business associate or third-party vendor and the 22 disclosed by businesses or other ancillary organizations.
Insider error, which caused over 20% of the 2019 data breaches, can go undetected for several years. Since healthcare employees have access to patient records, it's difficult to detect when there's been an incident.
Hacking is far more common. Of the 135 incidents involving hacking that disclosed details to HHS or the media, 27 were due to ransomware or malware, 88 due to phishing attacks and one extortion.
It took companies an average of 214 days to discover a breach had occurred, but time until discovery varied widely, from one day to eight and a half years.
Geographically, California had the most data breaches per state in the first half of 2019 (26 incidents), followed closely by Texas (22) and Florida (20). California usually has a higher number of reported breaches, perhaps due to stronger oversight, higher patient volume or more robust reporting methods.