Latest HIPAA News

NHS to Phase Out Pagers by End of 2021

Posted by HIPAA Journal

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million).

Advantages and Disadvantages of Pagers in Healthcare

Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well.

However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are often written down and they can be forgotten or lost. When responding to messages, doctors often find the number is engaged and so begins a time-consuming game of phone tag. Pages also do not convey the sense of urgency.

To investigate the use of pagers, the Department of Health commissioned a report from CommonTime, a digital solutions company. The firm concluded that the devices should not continue to be used in the NHS and that it was surprising for legacy equipment such as pagers to still be relied upon in emergency situations.

UK Health Secretary Matt Hancock is keen to see legacy technology such as pagers phased out. He views emails and mobile phones as a better option in terms of speed, security, and cost. Pagers are expensive to run. Switching to alternative, modern methods of communication could save the NHS millions each year. The report suggests that the use of mobile devices and mobile software in place of pagers could save the NHS around £2.7 million ($3.57 million) a year.

Messaging Apps and Secure Email to Replace NHS Pagers

Secure messaging apps on smartphones are a viable alternative to pagers and can be run at a fraction of the cost. The apps offer similar capabilities as WhatsApp and Skype, but with enhanced security and message accountability.

The West Suffolk NHS Foundation Trust trialed the use of a smartphone app in 2017 and replaced all of its pagers and found that it saved a considerable amount of time communicating with doctors and saved on costs. The app allowed two-way communications between doctors, could be used by healthcare professionals to communicate with each other, allowed group chats, and worked on smartphones, tablets and desktops.

Mobile technology may improve security and allow the NHS to cut costs, but the technology is not without drawbacks. There are often dead-spots in hospitals where signals cannot be received on mobile devices, mobile networks can face slowdowns which delay the delivery of urgent messages, and there is potential for mobile devices to interfere with hospital equipment. Those issues will need to be resolved over the coming two years, although NHS Trusts will be permitted to keep some pagers for emergency situations, such as when mobile networks go down or hospital Wi-Fi goes offline.

Fax Machines to be Phased Out by 2020

The latest report follows a 2018 study by the Royal College of Surgeons which revealed that the NHS was still using around 9,000 fax machines to send documents. In December 2018, the Department of Health announced that fax machines would be phased out and would be replaced by secure, encrypted email to improve patient safety and cybersecurity. NHS Trusts have not been permitted to buy new fax machines since January 2019 and fax machines will be completely phased out by April 2020.

These are just two of the initiatives that Hancock is pursuing to update the technology used by the NHS. As the May 2017 WannaCry ransomware attacks showed, it is not just legacy equipment that is a problem. A study conducted after the attacks revealed 60% of NHS Trusts were still using Windows XP, even though the operating system is a major security risk and is no longer supported. In May 2018, the UK government signed a £150 million ($1.98 million) deal with Microsoft to upgrade all Windows XP and Windows 7 machines to Windows 10. That process will be completed by January 14, 2020.

The post NHS to Phase Out Pagers by End of 2021 appeared first on HIPAA Journal.

January 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day. There were 33 healthcare data breaches reported in January 2019.

Healthcare Data Breaches January 2019 - Month

January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed.

Healthcare Data Breaches January 2019 - Records Exposed

Largest Healthcare Data Breaches in January 2019

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident
2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft
3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident
4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident
5 Managed Health Services Health Plan 31300 Hacking/IT Incident
6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident
7 Dr. DeLuca Dr. Marciano & Associates, P.C. Healthcare Provider 23578 Hacking/IT Incident
8 Critical Care, Pulmonary and Sleep Associates, PLLP Healthcare Provider 23377 Hacking/IT Incident
9 Valley Professionals Community Health Center Healthcare Provider 12029 Hacking/IT Incident
10 Cambridge Healthcare Services, LLC Business Associate 10866 Theft

Causes of January 2018 Healthcare Data Breaches

Hacking and other IT security incidents such as ransomware and malware attacks were the biggest cause of healthcare data breaches in January 2019, accounting for 51.52% of the month’s data breaches (917 incidents) and the largest reported breach of the month. Hacking/IT incidents also accounted for the most breached records: 74.07% of all breached records in January (363,631 records).

Healthcare Data Breaches January 2019 - Causes

Unauthorized access and impermissible disclosure incidents were in second place with 10 incidents (30.30%), although they involved only a small percentage of the month’s breached records – 19,500 or 3.97% of the month’s total.

There were 5 theft incidents reported in January which involved the protected health information of 106,006 individuals – 21.59% of the records exposed in January – and one improper disposal incident that saw 1,800 paper records accidentally discarded with regular trash.

Location of Breached Protected Health Information

Healthcare organizations are still having difficulty preventing phishing attacks and other email-related breaches. As has been the case in the past few months, email-related data breaches have dominated the breach reports. Most of the email breaches in January were due to phishing attacks.

51.52% of healthcare data breaches in January 2019 involved PHI stored in emails and email attachments (17 incidents). Physical PHI, such as paper records, charts, and films was exposed in 15.15% of breaches in January (5 incidents).

Healthcare Data Breaches January 2019 - Location PHI

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by healthcare data breaches in January 2019 with 20 reported incidents, six of which ranked in the top ten breaches of the month.

8 health plans reported breaches in January and there were five breaches reported by business associates of HIPAA-covered entities, including the largest data breach of the month. A further 6 data breaches had some business associate involvement but were reported by the HIPAA-covered entity.

Healthcare Data Breaches January 2019 - By Covered Entity

Healthcare Data Breaches by State

HIPAA covered entities and business associates based in 20 different states reported healthcare data breaches in January 2019. The worst affected state was Texas with four reported breaches. Georgia, Indiana, and Kentucky each had 3 breaches in January and there were two breaches reported in each of California, Connecticut, Florida, Kansas.

Colorado, Illinois, Michigan, Minnesota, North Carolina, Nebraska, New Jersey, Pennsylvania, Rhode Island, South Carolina, Tennessee, and Washington each experienced one healthcare data breach in January.

Penalties for Noncompliance and HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) did not issue any financial penalties in January 2019 or agree to any settlements to resolve HIPAA violations; however, OCR did announce in late January that a further settlement had been agreed with a HIPAA covered entity in December 2018 – Too late for inclusion in our December 2018 Healthcare Data Breach Report.

In December 2018, Cottage Health agreed to settle its HIPAA violation case with OCR for $3,000,000. OCR investigated Cottage Health over two breaches experienced in 2013 and 2015 which saw the protected health information of 62,500 patients exposed online.

OCR also announced that 2018 had been a record year for HIPAA enforcement. OCR’s HIPAA fines and settlements totaled $28,683,400 in 2018, beating the previous record of $23,505,300 set in 2016 by 22%. 2018 also saw the largest ever HIPAA settlement agreed. Anthem Inc., agreed to pay OCR $16,000,000 to resolve HIPAA violations discovered during the investigation of its 78.8 million-record data breach of 2015.

OCR closed out 2018 with 10 settlements to resolve HIPAA violations and one civil monetary penalty, beating last year’s total by one.

There was one HIPAA violation case closed by a state attorney general in January 2019. The California Attorney General agreed to settle a case with health insurer Aetna for $935,000. The financial penalty resolved violations of HIPAA and state laws that contributed to the impermissible disclosure of plan members’ PHI. In two separate 2017 mailings, PHI was visible through the windows of envelopes. The mailings were sent to individuals who had been diagnosed with Afib in one mailing, and patients who were receiving HIV medications in the other. The impermissible disclosures affected 1,991 California residents.

This was the sixth state attorney general financial penalty Aetna has agreed to pay in relation to the mailing errors. In 2018, Aetna settled cases with New York, New Jersey, Washington, Connecticut, and the District of Columbia. The latest financial penalty brings the total financial penalties over the HIPAA violations to $2,725,172.

The post January 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

Posted by HIPAA Journal

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees.

UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals.

A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out.

UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused.

The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed. Information contained in the compromised email accounts was limited to names, addresses, dates of birth, and some clinical information, such as appointment dates and billing information. Approximately 1,500 Social Security numbers were also potentially compromised.

All patients whose PHI was potentially accessed by the attackers have been notified by mail. Complimentary identity theft protection services have been offered to patients whose Social Security number was exposed.

UConn Health is reviewing its technical controls to prevent phishing attacks and is currently evaluating additional security training platforms to better educate staff on phishing and other cybersecurity threats.

In late January, the University of Connecticut warned students to be alert to the risk of phishing attacks following a spate of spam and phishing emails received by students over the past few months, some of which impersonated the UConn mail service. It is unclear whether the warning was related to the email breach at UConn Health.

The post UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed appeared first on HIPAA Journal.

NIST NCCoE Releases Mobile Device Security Guidance

Posted by HIPAA Journal

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches.

Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes.

However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them.

There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of Texas MD Anderson Cancer Center in 2018.

In healthcare, securing mobile devices and protecting sensitive data can be a major challenge. To help businesses and healthcare organizations improve mobile device security, NIST/NCCoE developed a Mobile Device Security Practice Guide.

The Guide – NIST Special Publication 1800-4 Mobile Device Security: Cloud & Hybrid Builds – gives practical advice on how commercially available technologies can be used to create an enterprise mobility management system that ensures mobile devices can be used to securely access sensitive information from inside and outside the corporate network while minimizing the impact on the user experience.

By using the guide, organizations can ensure that employees can access vital information safely and security from almost any location, over any network, on a range of mobile devices, while minimizing mobile device security risks.

The guide can be used to securely implement BYOD and COPE deployment models and leverage cloud services to improve security, enhance visibility for system administrators, provide instant alerts about security events, and push policies out to mobile devices and enforce them through operating systems or mobile applications.

The guide includes several how to examples that demonstrate how standards-based technologies can be used in real world situations to reduce the risk of unauthorized data access and intrusions while saving on research and proof of concept costs.

The guide can be viewed or downloaded from NIST/NCCoE on this link.

The post NIST NCCoE Releases Mobile Device Security Guidance appeared first on HIPAA Journal.

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

Posted by HIPAA Journal

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed.

Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups.

The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination.

Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose. Members of the groups are offered a safe environment to chat about their issues. Highly sensitive information is often disclosed in the groups as they are believed to be private and anonymous. The complaint alleges Facebook is actively encouraging the use of closed groups as a good way for patients to communicate their health information and receive support for medical conditions.

Users of the groups have shared information about positive HIV diagnoses, sexual histories, details of past sexual abuse, substance abuse disorders, and a wide range of health and mental health conditions.

The groups are supposed to be private and anonymous and are often advertised as such. One example is the Affected by Addiction Community Facebook Group, which states that “This is a private group, so nothing you post will be seen by anyone outside of this group.” Several other examples are detailed in the complaint and some of the groups have been actively promoted by Facebook, even though privacy is not assured. Facebook states in its data policy that information shared on its platform can be shared with others on and off its products. Claiming the groups are private and anonymous is a misrepresentation.

Information disclosed in these groups, including personal health information, is shared with advertisers. There have been many cases of individuals being displayed adverts about possible treatments for medical conditions that have only ever been discussed in closed, private groups.

Facebook is not bound by HIPAA Rules, so the sharing of any personal health information with advertisers would not be a HIPAA violation. However, Facebook is required to comply with FTC Rules: Rules that Facebook is alleged to have violated.

In addition to sharing data with advertisers, the security of Facebook Groups has been called into question. One member of a closed health group claims she was able to obtain a list of all members of the group using a Chrome web browser extension called grouply.io. She contacted Trotter who used the extension to download the names of 10,000+ members of a closed and supposedly private Facebook group. In addition to real names of members, Trotter was also able to download email addresses, the cities where the members are located, and employers of the women who participated in the group. In this case, the members had been diagnosed as having the BRCA cancer mutation.

In the complaint, Trotter explained that since Facebook is encouraging the use of private groups for disclosing health information the groups should be treated as a personal health record and regulated as such by the FTC.  Part of the requirements for personal health records is the reporting of data breaches. Even though Facebook was notified about the file download and data breach, notifications were not sent to members of the Group.

“Sharing of privately posted personal health information violates the law, but this serious problem with Facebook’s privacy implementation also presents an ongoing risk of death or serious injury to Facebook users,” wrote Trotter in the complaint. “Facebook has ignored our requests to fix the specific issues we have identified to the company and denies publicly that any problem exists. All of this represents unfair, deceptive and misleading interactions between Facebook and its users in violation of the FTC Act.”

Leaders of the Energy and Commerce Committee said in their letter to Zuckerberg, “Facebook’s systems lack transparency as to how they are able to gather personal information and synthesize that information into suggestions of relevant medical condition support groups.  Labeling these groups as closed or anonymous potentially misled Facebook users into joining these groups and revealing more personal information than they otherwise would have.”

The committee leaders have requested a briefing from Facebook by March 1, 2019.

The post Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups appeared first on HIPAA Journal.

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Posted by HIPAA Journal

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication.

Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name.

An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures.

The error was immediately fixed on December 26 and UW Medicine contacted Google to remove all cached copies of the files from its listings. UW Medicine reports that all cached copies of its files were removed by January 10, 2019.

An analysis of the files revealed they contained patients’ names, medical record numbers, information about with whom UW Medicine had shared patient information, a summary of the reason for the disclosure, and a brief description of the types of information that were shared (demographics, labs, office visits etc.). In some cases, the name of a health condition was mentioned in relation to a research study and the name of a lab test was included. In the case of the latter, the information may have indicated what the patient was being tested for (E.g. HIV, dementia), but not the result of the test.

No financial information, insurance information, Social Security numbers, detailed health information, or other highly sensitive data could be accessed by unauthorized individuals as a result of the database misconfiguration.

The most common reasons for disclosures mentioned in database were information shared with Child Protective Services, law enforcement, public health authorities, and when researchers required access to a patient’s medical records to check if the patient was eligible to take part in a research study.

It has taken some time for UW Medicine to ensure that all information has been secured and to identify the patients impacted by the breach. The incident has now been reported to the HHS’ Office for Civil Rights and all patients are now being sent breach notification letters. UW Medicine cannot confirm how many people accessed the files during the time they were available, but due to the nature of data exposed, the risk of identity theft and fraud is believed to be negligible.

The error has proven costly for UW Medicine. According to Dr. Timothy Dellit, chief medical officer at UW Medicine, the mailing of breach notification letters has cost UW Medicine around $1 million, not including the cost of the investigation and identifying patients impacted by the breach.

The breach has prompted a review of policies and procedures, which have now been updated to prevent similar incidents from occurring in the future.

The post PHI of Almost 1 Million UW Medicine Patients Exposed Online appeared first on HIPAA Journal.

Maryland Considers Tougher Penalties for Ransomware Attacks

Posted by HIPAA Journal

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state.

The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock.

Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more.

The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable costs of verifying whether a system has been altered, acquired, damaged, deleted, disrupted, or destroyed.

The penalty for a ransomware attack that results in more than $1,000 in losses would increase to a maximum fine of $100,000 and up to 10 years imprisonment. If the attack results in aggregate losses of less than $1,000, the crime would be a misdemeanor and could result in a fine of up to $25,000 and up to 5 years imprisonment.

Even being in possession of ransomware (for non-research purposes) could result in a hefty fine and prison term, even if no attacks have been conducted. Possession with intent could result in a fine of up to $10,000 and up to 10 years imprisonment.

It would also be possible for a person who has suffered a specific and direct injury as a result of a ransomware attack to bring a civil action against the attacker and for damages to be awarded and the cost of legal action to be recovered.

Ransomware poses a threat to all businesses, but healthcare organizations are especially vulnerable. Ransomware attacks on hospitals not only causes financial losses but could also potentially cause harm to patients. Loss of access to healthcare systems and encryption of patient data can disrupt medical services which could lead to fatalities.

Research conducted at Vanderbilt university in 2017 suggests ransomware attacks on hospitals could potentially result in 2,000 deaths a year. The financial losses can also be considerable. The ransomware attack on Maryland-based Medstar Health in 2016 is believed to have caused more than $30 million in losses.

The post Maryland Considers Tougher Penalties for Ransomware Attacks appeared first on HIPAA Journal.

March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches

Posted by HIPAA Journal

The deadline for reporting 2018 data breaches of fewer than 500 records is fast approaching. HIPAA covered entities and their business associates must ensure that the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified of all 2018 data breaches of fewer than 500 records before March 1, 2019.

The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. The deadline for reporting small healthcare data breaches is 60 days from the end of the calendar year in which the breach was experienced.

If it is not possible to determine how many individuals have been affected by a data breach, or if the breach investigation has not been concluded before the 60-day deadline, an interim breach report should be submitted. The breach report can then be updated as and when further information becomes available.

If a data breach is not reported within the 60-day reporting window, OCR can issue a financial penalty for noncompliance. While fines for HIPAA violations are typically reserved for particularly egregious cases of noncompliance and extensive HIPAA failures, OCR has taken action against healthcare organizations for breach notification failures in the past.

In January 2017, OCR issued its first fine solely for a HIPAA Breach Notification Rule violation. Presense Health experienced a data breach in 2013 that affected 836 patients. Operating schedules had been removed from its Joliet, IL, surgery center and could not be located. Presence Health learned of the breach on October 22, 2013 but did not send notifications to patients for 101 days – 31 days later than the reporting deadline. OCR was notified 36 days after the deadline had passed. Presence Health agreed to settle the case with OCR for $475,000.

The post March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches appeared first on HIPAA Journal.

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Posted by HIPAA Journal

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018.

The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general.

The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches.

According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018.

In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased each quarter, from 1,175,804 records in Q1 to 6,281,470 healthcare records in Q4.

The largest data breach of the year was a hacking incident at a business associate of a North Carolina health system. Over the space of a week, the hackers gained access to the health records of 2.65 million individuals.

Healthcare hacking incidents have increased steadily since 2016 and were the biggest cause of breaches in 2018, accounting for 44.22% of all tracked data breaches. There were 222 hacking incidents in 2018 compared to 178 in 2017. Data was only available for 180 of those breaches, which combined, resulted in the theft/exposure of 11,335,514 patient records. The hacking-related breaches in 2017 resulted in the theft/exposure of 3,436,742 records. While it was not possible to categorize many of the hacking incidents due to a lack of data, phishing attacks and ransomware/malware incidents were both common.

Insiders were behind 28.09% of breaches, loss/theft incidents accounted for 14.34%, and the cause of 13.35% of breaches was unknown.

Insider breaches included human error and insider wrongdoing. These breaches accounted for a lower percentage of the total than in 2017 when 37% of breaches were attributed to insiders. Information was available for 106 insider-related breaches in 2018. 2,793,607 records were exposed in those breaches – 19% of exposed records for the year. While the total number of insider incidents fell from 176 to 139 year over year, there was a significant increase in the number of records exposed in insider breaches in 2018.

Insider errors resulted in the exposure of 785,281 records in 2017 and 2,056,138 records in 2018. Insider wrongdoing incidents resulted in the exposure of 893,978 records in 2017 and 386,469 records in 2018.

Without the proper tools in place, insider breaches can be difficult to detect. In one case, it took a healthcare provider 15 years to discover that an employee was snooping on patient records. Several incidents took over four years to discover.

Snooping by family members was the most common cause of insider breaches, accounting for 67.38% of the total. Snooping co-workers accounted for 15.81% of insider breaches. Protenus notes that there is a high chance of repeat insider offenses. 51% of cases involved repeat offenders.

Overall, it took an average of 255 days for a breach of any type to be discovered and an average of 73 days for breaches to be reported after they were discovered.

Healthcare providers were the worst affected group with 353 data breaches – 70% of all reporting entities. 62 breaches were reported by health plans (12%) and 39 (8%) were reported by other entities. It was a particularly bad year for business associates of HIPAA covered entities with 49 incidents (10%) reported by business associates. A further 102 incidents (20%) had some business associate involvement.

Protenus expects to trend of more than 1 breach per day to continue in 2019, as has been the case every year since 2016.

The post 2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records appeared first on HIPAA Journal.