Search
Close this search box.
Search

60 percent health record data breaches January caused by insiders

A majority of breached patient records in the U.S. in January 2017 were the result of insiders, Protenus reveals in his Protenus Breach Barometer, a monthly snapshot of reported or disclosed breaches impacting the healthcare industry. With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month.

2017 has kicked off with a huge proportion of insider threats, as January data from disclosed breaches reveals that 59.2% of breached patient records were the result of insiders, Protenus writes.  This month’s health data breaches reinforce the importance of internal health data security, as the need to protect patient data from insiders continues to loom large. Healthcare organizations, now more than ever, need to be proactive in discovering and reporting when a breach has occurred. This is especially the case given that HHS OCR has issued its first fine for failing to report a breach within their 60-day window.

One databreach per day

With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month. There were slightly fewer incidents disclosed in January than in December (36 incidents), and dramatically fewer affected patient records (1,431,449 vs. 388,307).

The  analysis is based on incidents either reported to HHS or disclosed in media or other sources during January 2017.  Information was available for 26 of those incidents. The largest single incident involved 220,000 patient records, a result of a third-party breach involving insider-wrongdoing.
Insider-Wrongdoing Responsible for 58.4% of Breached Patient Data

Insider incidents

The majority (59.2%) of breached patient records – 230,044 records – were attributable to insider incidents. Five of nine insider incidents were the result of insider-wrongdoing.  For the four insider-wrongdoing incidents for which we have numbers, 226,798 patient records were affected. Four other insider incidents were the result of insider-error, affecting 3,246 patient records.

Hacking Incidents Continue to Threaten Patient Privacy

Of the 12 hacking incidents disclosed in January, Protenus has numbers for 10, affecting 145,636 patient records.

  • One incident involved an extortion demand from TheDarkOverlord.  When the entity did not pay the demand, the data was publicly leaked.
  • A second hacking incident disclosed this month was somewhat unusual. Although there was no reported ransomware or ransom demand involved, the entity reported that the attack interfered with patient care when the data was corrupted and clinics could not access the necessary data for marijuana records and prescriptions.
  • A third incident disclosed in January actually involved two sequential breaches: one insider-error incident that exposed patient data, and a second, external attack. Both events stemmed from a misconfiguration of a vendor’s database. exposing patient data. It was detected by researchers, but before the researchers could even contact the covered entity to alert them to secure the database, criminals detected the exposure and hacked the database, wiping it out and leaving a ransom demand.

Phishing attacks

A few of the incidents categorized as ‘hacking’ involved employees falling for phishing attacks.  These incidents were comprised of two elements: insider-error in responding to the phishing attacks and the external threat itself.  Protenus categorizes these as ‘hacking’, but such incidents reinforce the need for routine employee training, re-training, and proactive analytics solutions to immediately detect employee errors.

Of the 31 reported incidents in January, there were 25 incidents involving healthcare providers (80.6% of all reported entities), followed by four incidents involving health plans, and two involving third parties. One of the providers is a non-profit that collected medical and health insurance information but didn’t provide diagnostic or treatment services as much as support services.

Third party breaches

Third-party breaches continue to account for a significant proportion of breached records. At least six incidents were the result of third parties.  Five incidents accounted for 82% of the total patient records for January, affecting 316,766 patient records.

21 states are represented in the 31 health data breach incidents.  California continuously remains the state publicly reporting the greatest number of health data breaches, however, it should be noted that this could be the case due to sheer reporting entity and patient volume.  Maryland had the second highest total, with three separate health data breach incidents.

Whixx

ICT&health World Conference 2024

Experience the future of healthcare at the ICT&health World Conference from May 14th to 16th, 2024!
Secure your ticket now and immerse yourself in groundbreaking technologies and innovative solutions.
Engage with fellow experts and explore the power of global collaborations.

Share this article!

Read also
Mayo Clinic started with its innovations for its ten million patients and demonstrated that its model worked, and that data could be ethically and responsibly used to drive innovations.
John Halamka: 'Create the Fear of Missing Out'
Balancing regulatory compliance with seamless adoption, healthcare navigates the integration of AI solutions.
A guide to implementing AI in healthcare amid the EU AI Act
AmyWebb-Stephen-Olker
Futurist Amy Webb claims that wearables will evolve into "connectables"
Digital health solutions empower patients to better manage their health and integrate care into their daily lives.
How to improve Digital Patient Engagement to streamline workflows
For people with diabetes, inaccurate blood glucose measurements can lead to errors in diabetes management, including taking the wrong dose of insulin, sulfonylureas, or other medications that can rapidly lower blood glucose.
Smartwatches measuring glucose level: Harmful but easy to buy fake innovations
How to introduce innovation and AI in healthcare organizations if there is no business model for prevention and quality – Our interview with Professor Ran Balicer, the Chief Innovation Officer at Clalit Health Services and founding Director of Clalit Research Institute.
I see no legitimate rationale for delaying the digital transformation in healthcare
Pioneering Cardiac Arrest Detection for Enhanced Survival.
CardioWatch Revolutionizes Cardiac Arrest Detection
Dr. Oscar Díaz-Cambronero, Head of Perioperative Medicine Department at La Fe Hospital, spearheads innovative telemonitoring initiatives revolutionizing patient care
Smartwatches Saving Lives Inside and Outside the Hospital
EIT 2024
EIT Awards 2024. Two European startups are revolutionizing the treatment of cardiovascular diseases
Bertrand Piccard, Swiss explorer and founder of the Solar Impulse Foundation
EIT Summit 2024. What are the trigger points that drive or inhibit innovation?
Follow us