Health IT

Health data breaches hit 2016 high in November

Just when you think the cybersecurity problem couldn’t get any worse in healthcare, along comes a report saying that there were more health data breaches disclosed in November than in any other month in 2016.

number-of-incidents-per-month-nov-protenus-breach-barometerJust when you think the cybersecurity problem couldn’t get any worse in healthcare, along comes a report saying that there were more health data breaches disclosed in November than in any other month in 2016.

In a report released Thursday, Protenus, a startup focused on tracking and preventing healthcare data breaches, said there were 57 such incidents last month. That is 60 percent higher than the 35 in October, based on statistics compiled by DataBreaches.net.

Surprisingly, 31 of the data breaches in October, or 54 percent, were inside jobs, according to the monthly Protenus Breach Barometer, while just nine were traced to hackers. The Ponemon Institute said in May 2015 that criminal activity had become the top source of health data breaches.

“While insiders are always a major source of health data breaches and HIPAA violations in any given month, this month was particularly striking,” Protenus Cofounder and CEO Robert Lord said via email. “In November, there were insider breaches at a few business associates that resulted in a wide array of their clients submitting breach reports.”

At least three of the hacks involved ransomware; a fourth “mentioned ransom/extortion but not ransomware,” the Breach Barometer said.

According to Protenus, the largest single breach last month was due to an error at a business associate, rather than a healthcare covered entity, as HIPAA calls it. That unspecified incident affected 170,000 records.

In all, 458,639 records were exposed in the 57 breaches in November, which actually was far below the monthly average for 2016. The average was skewed by major spikes in June and August, which saw 11 million and 8.8 million records affected, respectively.

Meanwhile, healthcare organizations seem to be taking their sweet time reporting data breaches. According to the report, it took an average of 135 days for the affected parties to notify the Department of Health and Human Service’s Office for Civil Rights of an incident in the cases where Protenus has records.

“It goes without saying that it is essential for organizations to be proactive when monitoring patient data,” Protenus said. “The sooner a breach is detected, the quicker the healthcare organization can mitigate the risk of significant damage being done with their patient’s data. The longer [protected health information] is exposed, the more it can cost the healthcare organization and ultimately become troublesome for the patients.”

HIPAA rules require healthcare organizations to notify OCR within 60 days of discovering a breach.

Baltimore-based Protenus came through startup accelerator DreamIt Health’s 2014 Baltimore class.

Image: Protenus