February 12, 2019 – Fifteen million patient records were breached during 503 healthcare data breaches in 2018, nearly triple the amount of reported incidents from the previous year, according to the Protenus 2019 Breach Barometer.
Protenus analyzed the breaches reported to the Department of Health and Human Services, media, or other sources. The researchers had data for 417 of the 503 breaches, which found the number of breaches slightly increased from the 477 reported in 2017.
What’s concerning is that in 2017, 5.6 million patient records were breached compared to the 15 million reported last year. There was also a steady increase in the number of impacted records from the 1.2 million reported in the first quarter, to the 6.3 million reported in fourth quarter.
The Atrium Health breach was the largest incident with 2.65 million impacted records. Reported in November, the cause was a hack on billing vendor AccuDoc Solutions that exposed patient data for about a week. June had the greatest number of disclosed breaches with 51 incidents, followed by 50 reported incidents in both October and May.
Here’s a breakdown of how these breaches occurred.
Hacking and Phishing on the Rise
Since 2016, hacking incidents have continued to steadily increase, with 222 breaches or 44 percent of reported incidents in 2018. About 11.3 million patient records were compromised by hacking, nearly four times more than the 3.4 million reported in 2017.
Hackers are leveraging highly targeted phishing campaigns to gain access to healthcare organizations’ networks, which researchers said should serve as a critical reminder of the need for frequent training and education.
In general, healthcare entities are able to detect hacking incidents quicker than insider incidents,” the report authors wrote. “In many cases, hacking incidents have been discovered in one day… where insider incidents can take place for years before discovery.”
“While hacking incidents may be discovered quickly, they also tend to have longer gaps between the discovery of the breach and reporting it,” they added.
Insider-Wrongdoing and Error
For several years, insiders have caused a large number of healthcare breaches, which continued throughout 2018. The researchers found insiders were responsible for about 28 percent of breaches last year, breaching 2.8 million patient records in 139 incidents.
The number of insider-related incident decreased from the 176 insider-related incidents from the previous year. However, the report found there was a substantial increase in breached patient records from 2017, with nearly four healthcare employees breaching patient privacy per every 1,000 employees.
Further, “significantly more patient records were breached by insider-error than by insiders with malicious intent.” Although in one incident, an employee continued to snoop on patient records for 15 years without being discovered.
“While there were substantially fewer patient records breached by insider wrongdoing, they are often more dangerous since employees with legitimate access to patient information can abuse their access with malicious intent, often undetected,” the report authors wrote.
“While the industry experiences a multitude of patient records affected from a single hacking incident, they are often quickly discovered due to the immediate disruption to hospital operations,” they added. “Insider threats can remain undetected for long periods of time due to their legitimate access.”
The researchers noted that detecting insider threats is a major challenge for many organizations, due to the sheer volume. For example, several insider incidents took more than four years to discover. On average, it took a healthcare organization 255 days to discover a breach caused by an insider.
What’s interesting is that family member snooping was the most common insider-related breach in 2018, accounting for 67 percent of those incidents. And insiders are more likely to breach privacy after an initial violation: 51 percent of privacy violations were caused by repeat offenders.
“This evidence indicates health systems accumulate risk that compounds over time if proper reporting, education, and discipline actions do not occur,” the report authors wrote. “Resources provided to healthcare organizations are pivotal in reducing the number of breach incidents that occur.”
“Educating staff on EHR policy and procedures has been shown to reduce the frequency of repeat offenders within the organization,” they added.
Third-party vendors or business associates accounted for 151 breaches, or 30 percent of the total incidents in 2018, impacting 5.3 million patient records. But there could be even more incidents that involved third-parties, as the researchers stressed they didn’t always have enough data to make that determination.
“Healthcare continues to be highly targeted by hackers and other malicious attackers, with the trend of at least one health data breach per day continuing throughout the year,” the report authors wrote. “In last year’s report, experts noted that the decrease in breached records might have been due to malicious actors taking a break before a resurgence in 2018.”
“With the increase in numbers and the return of thedarkoverlord, a notable hacking group, it appears this break is now over,” they added. “It will be imperative for the healthcare industry to continue to innovate and to proactively detect and mitigate these breaches, reducing the devastation these incidents can cause.”
These findings reflect similar trends seen by other healthcare security leaders. A recent Proofpoint report found email fraud attacks jumped 473 percent since January 2017, while a new HIMSS infosec survey found phishing and negligent insiders are leaving healthcare vulnerable to these attacks.