In the third quarter of 2018, the American healthcare industry reported 117 cybersecurity breaches to regulatory agencies or the media, affecting roughly 4.4 million patient records according to a Protenus analysis released last week.
The number of incidents from July to September was somewhat lower than those in Q2, the report said. However, the number of breached records has increased steadily in each quarter of 2018 so far: from 1.1 million in Q1 to 3.1 million in Q2 to 4.4 million now.
The single largest breach in Q3 was a phishing scam that hit Iowa-based UnityPoint. Scammers used official-looking emails to gain access to UnityPoint’s system and captured employees’ passwords, collecting the names, addresses, medical information and other sensitive data of 1.4 million people.
Although cybersecurity topped the list of IT investment for 2018, the year so far has been rife with breaches. The healthcare sector has actually lead in data breach costs out of any other industry worldwide for the eighth year straight as cybercriminals reach for the rash of low-hanging fruit that is millions of electronic patient records.
In July alone, 2.7 million patient records were compromised, followed by 1.6 million in August and approximately 139,000 in September.
One alarming trend in the data was the increasing number of data breaches due to insider wrongdoing, said healthcare compliance platform Protenus. For eight known incidents, healthcare employees were responsible for 23% of the total number of breaches through theft, snooping in patient files and other law violations, along with simple human error or accidents.
Although it took an average of 402 days to discover breaches, one insider wrongdoing took 15 years to come to light. A VCU Health employee inappropriately accessed nearly 4,700 electronic health records between 2003 and 2018.
Hacking was responsible for the large majority of breached records in Q3. Between July and September, there were 60 hacking incidents affecting roughly 3.6 million records.
Florida had the most data breaches of any state in Q3 with 11 incidents, followed by California (10) and Texas (9).
This is an “alarming trend,” according to Protenus. But the increasing number of impacted patient records could also be indicative of better breach detection and reporting.
However, a Black Book Market Research survey in December found eight in 10 hospitals and health systems lack a C-suite leader to manage cybersecurity enterprise-wide despite the high costs and ongoing threat.
Protenus suggested healthcare organizations use advanced analytics and AI to review 100% of patient accesses to data in order to prevent further breaches.