A recent data analysis by Comparitech has revealed that the average time for a U.S. healthcare organization to report a ransomware attack is 3.7 months, the shortest time out of all industries represented in the study. Across all industries, the average time to report a ransomware attack in 2023 was 5.1 months, a considerable increase from the average of 2.1 months in 2018.
In 2024, ransomware-related data breaches took an average of 3.7 months to report, although it is too early to obtain reliable reporting data, as ransomware victims are still reporting ransomware-related data breaches from last year.
Comparitech’s researchers analyzed data from 2,600 U.S. ransomware attacks since 2018. Over the entire period of study, the average time to report a data breach following a ransomware attack was 4.1 months. The legal sector delayed reporting data breaches for the longest time, taking an average of 6.4 months to report the data breach.
While healthcare had the shortest breach reporting times, one healthcare entity had an exceptionally long delay between the date of the attack and the issuing of notifications. Ventura Orthopedics experienced a ransomware attack in July 2020, yet it took 38 months for notification letters to be issued, which were not sent until September 2023. Another healthcare entity had an exceptionally long delay before notifications were issued. It took two years from the date of the attack for Westend Dental to issue notification letters, earning the company a $350,000 financial penalty.
The reporting time is no doubt influenced by federal and state laws. In healthcare, the Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires regulated entities to report a data breach within 60 days of the date of discovery, and if the total number of affected individuals is not yet known, the regulated entity must report the breach using an estimated total for the number of affected individuals, with the estimated figure typically being 500 or 501. A figure of 500 affected individuals is the threshold for media announcements and public listing of the data breach on the HHS’ Office for Civil Rights breach portal.
Looking at the business sector only, healthcare also had one of the shortest delays, taking an average of 3.4 months to report the data breach, slightly ahead of utilities at 3.3 months. Healthcare businesses in this sector were not direct healthcare providers.
Comparitech also identified shorter breach reporting times in states that have implemented data breach notification laws, with an average time of 3.9 months to report a breach in those states compared to 4.2 months in other states. The states with the longest breach reporting times were Wyoming (7.3 months), the District of Columbia (6.6 months), and North Dakota (6.3 months), whereas the states with the shortest reporting periods were Montana (1.9 months), South Dakota (2.2 months), and Alaska (2.3 months).
While it may not be possible to issue notification letters quickly, it is important to announce ransomware attacks to allow potentially affected individuals to take steps to protect themselves. If it takes 4.1 months on average to report a ransomware-related data breach, that gives ample time for stolen data to be misused.
Ransomware groups that engage in double extortion list the stolen data on their data leak sites if the ransom is not paid, and the data can be downloaded by anyone. That means the data could be misused for several months before the affected individuals are notified. If a notice is added to the breached organization’s website, even if data theft has not been confirmed, consumers would be aware that they could potentially be at risk and could take steps to protect themselves.
The post Healthcare Organizations Take 3.7 Months To Announce Ransomware Data Breaches appeared first on The HIPAA Journal.