Health IT, Hospitals

One hospital took 14 years to discover a data breach

Fourteen years is a lengthy amount of time, but that’s how long it took Massachusetts-based Tewksbury Hospital to uncover an insider incident. The finding comes from Protenus’ latest Breach Barometer.

That’s right — 14 years.

Said incident took place at Tewksbury Hospital in Massachusetts, where a clerk inappropriately accessed the records of more than 1,000 patients between 2003 and 2017, according to The Boston Globe. The breach was completely unaccounted for until somebody called in a complaint.

The finding comes from Protenus’ latest Breach Barometer, a monthly report based on data provided by DataBreaches.net.

“I remember seeing that stat come across my desk and was pretty shocked,” Protenus president Robert Lord said in a recent phone interview.

In its report about the month of May, Protenus found that three incidents went undetected for more than three years. But that number pales in comparison to a 14-year length of time, which Lord said is a record for the Breach Barometer.

In addition to uncovering the Tewksbury Hospital incident, Protenus’ latest report found there a total of 575,142 patient records impacted in July.

That same month, there were 36 breaches disclosed to HHS, the media, or a State’s Attorney General.

Of those breaches, a surprisingly high number (17) were hacking incidents. And 10 of the hacking incidents involved ransomware.

“Historically we hadn’t seen as much ransomware getting reported, even though we knew it was happening,” Lord said. “That was a big driver of the spike.”

Although only eight of the 36 breaches were due to insider threats, Lord noted that insider events are still a huge vulnerability.

The majority of July breaches (29) involved healthcare providers. Another three involved health plans, two involved a business associate or third party vendor and one even involved a fire dispatch center.

The 36 incidents occurred across a total of 23 states. Georgia, Indiana and California all had three breaches in July. Colorado, Michigan, Pennsylvania and Tennessee each reported two incidents.

Month after month, cybersecurity remains a hot topic in the world of healthcare. And Lord has a few predictions about where the field is heading.

“Fundamentally, I think we’re going to continue to see a lot of patterns,” he said. I don’t think this data changes my opinion of where the year’s going.”

For one, insiders will continue to be a danger to the industry. Going forward, awareness of insider threats will grow.

Yet unfortunately, Lord believes we’re on track to have a worse year than last year, when there was an average of one data breach per day. However, he’s hopeful that this data will cause the healthcare field to rethink its cybersecurity framework.

“Taking all this into account, we have this great opportunity for healthcare leaders to look in the mirror and say, ‘Are we doing enough?'” Lord noted. “To bend the curve, we’re going to need a fundamental difference.”

Photo: turk_stock_photographer, Getty Images