60 percent health record data breaches January caused by insiders

February 15, 2017
2017 has kicked off with a huge proportion of insider threats, as January data from disclosed breaches reveals that 59.2% of breached patient records were the result of insiders, Protenus writes.  This month’s health data breaches reinforce the importance of internal health data security, as the need to protect patient data from insiders continues to loom large. Healthcare organizations, now more than ever, need to be proactive in discovering and reporting when a breach has occurred. This is especially the case given that HHS OCR has issued its first fine for failing to report a breach within their 60-day window.

One databreach per day

With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month. There were slightly fewer incidents disclosed in January than in December (36 incidents), and dramatically fewer affected patient records (1,431,449 vs. 388,307).

The  analysis is based on incidents either reported to HHS or disclosed in media or other sources during January 2017.  Information was available for 26 of those incidents. The largest single incident involved 220,000 patient records, a result of a third-party breach involving insider-wrongdoing.
Insider-Wrongdoing Responsible for 58.4% of Breached Patient Data

Insider incidents

The majority (59.2%) of breached patient records - 230,044 records - were attributable to insider incidents. Five of nine insider incidents were the result of insider-wrongdoing.  For the four insider-wrongdoing incidents for which we have numbers, 226,798 patient records were affected. Four other insider incidents were the result of insider-error, affecting 3,246 patient records.

Hacking Incidents Continue to Threaten Patient Privacy

Of the 12 hacking incidents disclosed in January, Protenus has numbers for 10, affecting 145,636 patient records.
  • One incident involved an extortion demand from TheDarkOverlord.  When the entity did not pay the demand, the data was publicly leaked.
  • A second hacking incident disclosed this month was somewhat unusual. Although there was no reported ransomware or ransom demand involved, the entity reported that the attack interfered with patient care when the data was corrupted and clinics could not access the necessary data for marijuana records and prescriptions.
  • A third incident disclosed in January actually involved two sequential breaches: one insider-error incident that exposed patient data, and a second, external attack. Both events stemmed from a misconfiguration of a vendor’s database. exposing patient data. It was detected by researchers, but before the researchers could even contact the covered entity to alert them to secure the database, criminals detected the exposure and hacked the database, wiping it out and leaving a ransom demand.

Phishing attacks

A few of the incidents categorized as ‘hacking’ involved employees falling for phishing attacks.  These incidents were comprised of two elements: insider-error in responding to the phishing attacks and the external threat itself.  Protenus categorizes these as ‘hacking’, but such incidents reinforce the need for routine employee training, re-training, and proactive analytics solutions to immediately detect employee errors.

Of the 31 reported incidents in January, there were 25 incidents involving healthcare providers (80.6% of all reported entities), followed by four incidents involving health plans, and two involving third parties. One of the providers is a non-profit that collected medical and health insurance information but didn’t provide diagnostic or treatment services as much as support services.

Third party breaches

Third-party breaches continue to account for a significant proportion of breached records. At least six incidents were the result of third parties.  Five incidents accounted for 82% of the total patient records for January, affecting 316,766 patient records.

21 states are represented in the 31 health data breach incidents.  California continuously remains the state publicly reporting the greatest number of health data breaches, however, it should be noted that this could be the case due to sheer reporting entity and patient volume.  Maryland had the second highest total, with three separate health data breach incidents.