A Q3 2018 healthcare data break report from Protenus demonstrates there has been a substantial decrease in healthcare data breaks compared to the preceding quarter. In Q2, 142 healthcare companies reported data breaks compared to 117 in Q3.
However, because of some big breaks in Q3, the total number of disclosed records was considerably higher. Between July and September, the health records of 4,390,512 patients were disclosed, impermissibly disclosed, or thieved compared to 3,143,642 healthcare records in Q2. Each quarter in 2018, the number of disclosed records has increased considerably.
The large increase in disclosed records in Q3 is partly because of a huge data break at UnityPoint Health that was disclosed in July. In that single break, more records were disclosed than in the 110 healthcare data breaks in Q1, 2018. The break was a phishing attack that saw a number of UnityPoint Health electronic mail accounts undermined. Those accounts had the PHI of 1.4 million patients. The biggest healthcare data break in August was a hacking occurrence at a healthcare supplier that led to the disclosure of 502,416 records. The biggest break in September was reported by a health plan and affected 26,942 plan members.
Hacking and other IT occurrences comprised for 51.28% of all data breaks in Q3. The second largest cause of breaks was insider occurrences (23.08%), after that loss/theft occurrences (10.26%). The reason of 15.38% of breaks in Q3 is not clear.
Hacks and IT occurrences also led to the maximum number of exposed/stolen healthcare records – 86% of all broken records in Q3. 3,649,149 records were undermined in the 60 occurrences pertained to hacks and IT occurrences. There were 8 reported ransomware/malware attacks and 10 occurrences involving phishing. It was not possible to decide the precise reason of 18 ‘hacking’ occurrences.
Q3 saw a surge in insider breaks. Insider breaks were divided into two types: insider mistakes and insider crime. Insider crime contains impermissible disclosures of PHI, workers prying on medical records, and theft of healthcare records by workers. Insider breaks led to the thievery, exposure, or impermissible revelation of 680,117 patient records.
19 occurrences were categorized as insider mistakes and affected 389,428 patients. There were 8 verified cases of insider crime that affected 290,689 patients – which is a major surge from the 70,562 patients affected by insider wrongdoing occurrences in Q2, and the 4,597 patients affected by similar occurrences in Q1.
In Q3, 19% of breaks involved paper records and 81% involved electronic medical records.
Healthcare suppliers suffered the most breaks in Q3 (74% of breaches), followed by health plans (11%) and business allies (11%). 23% of the quarter’s breaks had some business associate participation.
The report discloses that healthcare companies and their suppliers are sluggish to identify breaks. In one instance, it took a healthcare supplier 15 years to find out that a worker had been prying on healthcare records. In those 15 years, the worker illegally accessed the records of thousands of patients.
The average time to identify a break was 402 days and the median time was 51 days. The average time to inform breaks was 71 days and the median time was 57.5 days.
Florida was the state worst affected by healthcare data breaks in Q3 with 11 incidents, followed by California on 10 and Texas on 9.