The latest Protenus Breach Barometer report — which includes data compiled by DataBreaches.net — found that insider error incidents continue to be a problem in the world of healthcare cybersecurity.
In the month of October, there were 37 total breach incidents reported to HHS or disclosed to the media, meaning the “at least one breach per day” trend appears to be a constant in 2017.
The report includes statistics for 29 of those incidents, which impacted 246,246 patient records. This number is down from 499,144 records impacted in September, and significantly lower than the 1.5 million records breached in March.
There were various culprits behind the incidents in October.
Hacking accounted for 13 of the 37 incidents. Of the 10 that Protenus has numbers for, 56,837 patient records were affected.
Insiders were responsible for fewer incidents (only 11). But insider error events alone made up about 65 percent of all 246,246 breached patient records.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
One notable insider error incident impacted 6,231 patient records. Amida Care, a nonprofit community health plan based in New York City, sent flyers to patients about the chance to participate in an HIV research project. As it turns out, the words “Your HIV detecta” may have been visible through some envelopes.
“Organizations need to ensure that they are putting proper measures in place and providing appropriate employee training in order to minimize the potential for these types of incidents to occur,” the Breach Barometer reads in regard to insider error incidents.
Despite being in the age of technology, there were four incidents of physical theft in October. These impacted 16,533 records. There were also two incidents in which patient records were lost or went missing, affecting 3,994 total records.
Twenty-nine of the 37 October breaches involved a healthcare provider, while seven included a health plan and one involved a school.
Of the incidents in October, it took an average of 448 days for a healthcare organization to sniff out a data breach. In one case, it took more than three years to uncover a breach. An employee defrauded Illinois of nearly $1 million by incorrectly claiming she was providing speech therapy services even after she left the company.
Though more than three years may seem like a long amount of time, it’s nothing compared to Tewksbury Hospital, which took 14 years to discover a data breach.
Additionally, it took an average of 175 days from when a breach was discovered to when it was reported to HHS or the media. The median amount of time to report was 59 days, which falls within HHS’ 60-day reporting window.
Photo: mattjeacock, Getty Images
