Health IT, Hospitals

1.5 million patient records breached in March

As Protenus found the number of breached records is on the rise, a JAMA Internal Medicine study claimed the risk of breaches is higher at large facilities and teaching hospitals.

Digital security concept IP protection

The number of breached patient records in January and February was relatively low — 388,307 and 206,151, respectively. But that number spiked sharply in March, with 1,519,521 patient records impacted as a result of healthcare breaches.

These findings come from the latest Protenus Breach Barometer, a monthly analysis of data compiled by DataBreaches.net. All the incidents analyzed were either reported to HHS or disclosed to the media in March 2017.

And it wasn’t only a rise in the number of breached records. March also saw an increase in the number of breach incidents. There were 39 incidents last month, compared to 31 in both January and February.

The 39 breach incidents in March are attributable to a variety of causes. But 17 of them — or 44 percent of them — were due to insider threats. This number is down from February, when insiders caused 18 of the month’s 31 breach incidents, or 58 percent of them. Meanwhile, 28 percent of March incidents were a result of hacking. Another 21 percent were attributable to loss or theft.

Healthcare providers reported 84.6 percent of breach incidents in March. This isn’t too different from February, when 77 percent of reporting entities were healthcare providers. But what does set the months apart is the role played by third-party entities. In February, third-party breaches made up 21 percent of all breached records. In March, however, third-party entities were only responsible for 3 percent of breach records, according to the information available to Protenus.

Also of note in this month’s Breach Barometer is the amount of time it took for entities to report breaches to HHS. It appears as though organizations are improving on this metric. In February, it took entities an average of 478 days to notify HHS of a breach, which falls greatly outside the 60-day window required by HHS. But in March, this number dropped to an average of 45 days.

March’s Breach Barometer comes on the heels of a startling study about where breaches frequently occur. Published in JAMA Internal Medicine, the study found the risk of data breaches is higher at large healthcare facilities and teaching hospitals.

Researchers analyzed HHS data from 2009 through 2016. Approximately 216 hospitals had 257 data breaches during those seven years. The researchers also checked out hospitals that were breach-free between 2009 and 2016. Their findings? The typical breached entity had a median of 262 beds, while the breach-free entity had a median of 134 beds. And more than 33 percent of the breached entities were major teaching hospitals.

Hospitals of all shapes and sizes need to work hard to ensure they’re not susceptible to data breaches, especially as the number of breached records appears to be on the rise. But given the JAMA study, perhaps it would be especially prudent for bigger facilities and teaching hospitals to watch their backs.

Photo: HYWARDS, Getty Images

Shares0
Shares0