August was a regretful month for healthcare files breaks. Over 8.8 million health plan member and patient files were stolen or exposed. 8,804,608 to be exact. As per the up-to-date segment of the Protenus Break Indicator, the total quantity of healthcare files exposed or stolen this summer now surpasses 20 million.
In August, 44 break reports were presented to the Division of Health and Human Services’ OCR which pertain to 42 separate cases. That renders August the poorest month so far this year for healthcare files breaks, and second poorest concerning the quantity of healthcare files revealed. Only June got more files infringed (11,061,649). The total quantity of infringements informed thus far in 2016 is currently up to 233.
The Break Indicator demonstrates that among the biggest dangers to healthcare files safety is employees. Employees were accountable for initiating 42.86% of the data breaks informed in August. Hacking – involving ransomware assaults – was the second main reason for breaks accounting for 28.57% of cases. Theft and loss of appliances having PHI was third accounting for 11.9% of breaks. The reason for 16.67% of breaks is not known.
In August Healthcare suppliers were affected the hardest, implicated in 37 cases and nearly one in five breaks implicated a BA. Events implicating BAs accounted for 47% of all infringed files.
It’s problematic to precisely determine how swiftly protected bodies are discovering data breaks as not all CEs disclose the date of the break, date of finding and when patients are informed. From the 13 data breaks contained in the statement that have disclosed this info, 38% took more than 60 days to find the breach, even though some were able to find a break in 20 days.
According to the Health Insurance Accountability and Portability Law, protected bodies have up to 60 days after the detection of a data break to inform OCR and send break notice letters to patients. In several cases, this delivering of break notice letters is postponed.
Luckily, several protected bodies seem to be better organized for breaks and were capable to deliver notices well within the time period permitted by the HIPAA Break Notice Law.
Protected bodies centered in 20 states informed breaks in August, though California was the worst hit with six informed cases.