Insider threat health data breaches doubled in February, Protenus says
The number of healthcare security breaches caused by insiders doubled from January to February, according to the latest Protenus Breach Barometer.
While both January and February had the same number of total breaches — 31 apiece, February saw a 47 percent drop in affected patient records. There were 206,151 in February as opposed to the 388,307 reported in January. Officials said the largest single breach involved 100,000 patient records, which stemmed from insider-error.
Protenus, working with Databreaches.net, calculated its totals from Health and Human Services data, media and other source reports. Details were available for 26 incidents.
Hacking was down to 12 percent of the incidents, while 58 percent or 9 of February’s breaches were due to insider wrong-doing. In fact, 146,162 patient records were exposed from insiders January, in comparison to 44,144 last month.
Third-party breaches accounted for only 21 percent of exposed patient records.
Timeliness is another notable fact of this month’s Breach Barometer. It took two organizations more than five years to discover that a breach had occurred. Further, it was an average of 478 days from the time of breach until the Department of Health and Human Services was notified — far worse than the January average of 174 days.
[Special report: Ransomware rising but where are the breach reports?]
While ransomware attacks hit a stride in 2016, it’s important to note that many of those events weren’t reported as breaches. In fact, only 9 malware or ransomware attacks were reported to HHS last year.
HHS requires all organizations to report breaches within 60 days of the initial discovery. A rule Metropolitan Urology Group took seriously, as it used that exact amount of time to notify HHS, the media and the 18,000 affected patients on March 10.