Healthcare data breaches continued to rise in 2017, but the number of affected patient records declined 80 percent, a new report suggests. According to the Protenus Breach Barometer, 2017 may have simply been an off year for malicious actors, who may be regrouping for more attacks in 2018.
A total of 477 data breaches were reported to the Department of Health and Human Services' Office for Civil Rights during the year, up from the 450 reported in 2016. However, the positive news for healthcare organizations and leaders is that fewer records were implicated in the breaches, specifically, 5.6 million in 2017 versus 27.3 million in 2016.
According to Fierce Healthcare, "the largest reported data breach was less than 700,000 in 2017, a far cry from two breaches in 2016 that totaled almost 20 million records." Providers made up the vast majority of reports at 80 percent, while health plans settled in at 12 percent.
Insiders continue to be a major thorn for security of information. Per the report, the largest breach reported in 2017 was the result of a Kentucky hospital employee inappropriately accessing the billing information of 697,800 patients over multiple incidents.
"Looking across all incidents in 2017, insiders were responsible for 37 percent of the total number of breaches this year," the report states.
On average, it took 308 days for an organization to discover it had suffered a breach in 2017, compared to 233 days in 2016. However, average reporting time fell to 73 days on average, compared to 344 days in 2016 — although still outside the 60-day window mandated by OCR.
But one incident went undiscovered for 14 years. The breach affected 1,100 patient records.
Business associates and third parties also are a major source of health data breaches; 53 of the reported incidents, totaling 647,198 records breached, were the result of business associate or other third-party access to health data.
Ransomware incidents more than doubled over the last year from 30 to 64, perhaps because of an increasing number of attacks or better reporting from healthcare entities, said Protenus.
According to a separate report by Protenus from August 2017, 44 states were responsible for the 233 health breach incidents, with California reporting the most breaches (28), followed by Texas (22).
"Health data protection needs to be a top priority for healthcare organizations — keeping their institution out of the headlines, limiting a breach's impact and ultimately increasing patient trust in the organizations where they seek care," concluded that report.
The current year is starting out with a load of data breaches already, with the medical and healthcare sector suffering 26.7 percent of the total data breaches in January 2018, accounting for 31 of the 116 incidents reported during the month, according to the Identity Theft Resource Center.
In early February, Partners HealthCare revealed that its computer network was breached in May 2017, potentially exposing the private information of up to 2,600 patients. The nonprofit health system, whose hospitals include Massachusetts General and Brigham and Women's, said in a statement that the malware did not result in access to its electronic medical record system, but may have exposed patients' names, diagnoses, types of procedures and medications. The Social Security numbers and financial account data of some patients may also have been included, the hospital system said.
Allscripts also was the victim of a ransomware attack in January. The Allscripts outage impacted about 1,500 small physician practices who were left without access to their EHR or claims submission applications, although the vendor noted that no patient records had been compromised. Since then, Allscripts has since been targeted by a class-action lawsuit by providers alleging it failed to maintain the proper precautions to prevent a cyberattack.
All of this, and we're just in the second month of the year.