Patient Records Compromised in Breaches Doubled in First Half of 2019

The number of patient records compromised in breaches doubled for the first half of this year, compared with 2018, according to a new analysis of federal and state data released by a health technology company.

The 31.6 million records reached between January 1 and June 30 of this year more than doubles the 15 million over the same six-month period in 2018, according to Protenus’s “Mid-Year Breach Barometer.”

Some 88% of the records were affected by hacking efforts, including ransomware, malware, and phishing, the Baltimore-based AI company found.

Some 20.5 million of the records were acquired by hackers in a single incident discovered in May: a breach involving a medical collection agency. That single attack potentially involved social security numbers, birthdates, as well as other personal data, according to Protenus. The single incident affected entities such as Quest Diagnostic, LabCorp, and Optum 360, among other companies.

The discovery of that single incident was made when patient data was discovered, posted for sale, on the Dark Web, according to the company.

The some 11 million records remaining were compromised in a variety of scenarios.

Sixty insider incidents — split between error and wrongdoing – breached more than 3 million of the records, according to the report.

One of the hacking incidents took more than eight years to discover, according to the report. The median discovery time was 50 days.

The majority of the breach incidents occurred in provider settings (72% total incidents), with the rest disclosed by health plans, business associates, third-party vendors, businesses, or other organizations. (The single incident with approximately two-thirds of the records was a medical collection agency).

The report was based on reports of 285 breaches counted among public data on the U.S. Department of Health and Human Services’s “Breach Portal,” as well as incidents reported to other federal and state regulators, including consumer protection agencies and attorneys general, among other sources.

(Inside Digital Health ™ counted some 225 of the breaches for the time period on the HHS data portal).

Protenus said in their report the escalating privacy concerns makes further security vigilance across healthcare a vital concern. (The company, which markets an AI system to monitor EHRs and related healthcare data, could not be reached for further comment on the report on Tuesday afternoon).

“This data reinforces the need for health systems to build privacy programs that review 100% of accesses to patient data in order to prevent these breaches from occurring, saving organization(s) and patients significant post-breach costs,” the authors conclude.

Get the best insights in digital health directly to your inbox.

Related

Cyberattack Results in Data Breach at Regional Cancer Care Associates

Quarterly Payout for Cybersecurity Vulnerabilities Increases 83%, Highest Ever

Third-Party Vendor Risks Cost Healthcare $23.7B a Year, Report Finds