The Breach Barometer report from for September has been released and shows there was a significant increase in healthcare data breaches during that month.
The report collates healthcare data violations reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) and security breaches recorded by databreaches.net. The latter of which have yet to appear on the OCR ‘Wall of Shame.’
Overall, Protenus/databreaches.net recorded a total of 46 healthcare data breaches in September. While the total amount of breach victims has not been released for all incidents, at least 499,144 healthcare records are known to have been accessed or stolen during September. The number of records exposed or stolen in four of the month’s breaches has yet to be published.
Such a high number of incidents recorded means that September is the second worst month of 2017, so far, for healthcare industry data breaches. Only June reported more depressing figures, when 52 data breaches were reported. In August, 33 data breaches were reported by healthcare sector groups/entities.
The report confirms the worst incident experience during September was a ransomware attack that saw the records of 128,000 individuals exposed. It is yet not known if those healthcare records were accessed or stolen.
The main causes of healthcare data violations during the month of in September were hacking (50%) and insiders (32.6%). The hacking final figure includes extortion attempts by TheDarkOverlord hacking group, ransomware incidents, and malware attacks. Hacking incidents made up 80% of breached records for September – 401,741 records – although figures for four of the incidents have not yet been published. The hacking attacks recorded in September included one confirmed ransomware incident, eight extortion attempts and seven phishing incidents.
The 15 insider incidents lead to the exposure of 73,926 records. Those incidents included six insider mistakes and eight instances of insider misdemeanor. Four theft incidents were filed which affected 17,295 patients.
The breaches happened at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered organizations, and 3 schools, with California the worst affected State with 5 security breaches.
While most healthcare sector organizations identified their data breaches within 6 weeks – the medial time for discovery was 38 days – it took one healthcare provider 2108 days to see that one of its employees had been improperly accessing clients’ medical records.
Most healthcare sector organizations reported their breaches inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions to this. One healthcare sector group took 249 days to report its breach, risking a potentially large HIPAA violation penalty.