Just when you think the cybersecurity problem couldn’t get any worse in healthcare, along comes a report saying that there were more health data breaches disclosed in November than in any other month in 2016.
In a report released Thursday, Protenus, a startup focused on tracking and preventing healthcare data breaches, said there were 57 such incidents last month. That is 60 percent higher than the 35 in October, based on statistics compiled by DataBreaches.net.
Surprisingly, 31 of the data breaches in October, or 54 percent, were inside jobs, according to the monthly Protenus Breach Barometer, while just nine were traced to hackers. The Ponemon Institute said in May 2015 that criminal activity had become the top source of health data breaches.
“While insiders are always a major source of health data breaches and HIPAA violations in any given month, this month was particularly striking,” Protenus Cofounder and CEO Robert Lord said via email. “In November, there were insider breaches at a few business associates that resulted in a wide array of their clients submitting breach reports.”
At least three of the hacks involved ransomware; a fourth “mentioned ransom/extortion but not ransomware,” the Breach Barometer said.
According to Protenus, the largest single breach last month was due to an error at a business associate, rather than a healthcare covered entity, as HIPAA calls it. That unspecified incident affected 170,000 records.
In all, 458,639 records were exposed in the 57 breaches in November, which actually was far below the monthly average for 2016. The average was skewed by major spikes in June and August, which saw 11 million and 8.8 million records affected, respectively.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
Meanwhile, healthcare organizations seem to be taking their sweet time reporting data breaches. According to the report, it took an average of 135 days for the affected parties to notify the Department of Health and Human Service’s Office for Civil Rights of an incident in the cases where Protenus has records.
“It goes without saying that it is essential for organizations to be proactive when monitoring patient data,” Protenus said. “The sooner a breach is detected, the quicker the healthcare organization can mitigate the risk of significant damage being done with their patient’s data. The longer [protected health information] is exposed, the more it can cost the healthcare organization and ultimately become troublesome for the patients.”
HIPAA rules require healthcare organizations to notify OCR within 60 days of discovering a breach.
Baltimore-based Protenus came through startup accelerator DreamIt Health’s 2014 Baltimore class.
Image: Protenus
