Breaches in 2018 exceed previous year; affected patient records soar

The healthcare sector continues to be a highly valued target for hackers and other malicious attackers at the rate of one breach per day, according to a new report.

The research, published by Protenus, a healthcare compliance analytics company, and DataBreaches.net, a web site devoted to reporting on data security breaches, found that, out of all breaches reported last year, 353 (or 70 percent) involved healthcare providers, 62 (or 12 percent) involved health plans, and 39 (or 8 percent) involved some other type of entity.

The latest Breach Barometer report was based on an analysis of 503 health data breaches reported to the Department of Health and Human Services, the media or some other source during 2018. The number of breaches was up slightly from the 477 breaches reported in 2017. Protenus and DataBreaches.net have information on the majority of the breaches in 2018, which affected more than 15 million patient records, the companies said.

Although number of breaches didn’t increase significantly over last year, there was an “alarming increase” in the number of affected patient records. The total number of patient records affected in 2018 was 15 million—almost triple the number reported in 2017, which affected 5.5 million patient records.

In addition, in 2018, there was a substantial increase in the number of breached patient records each quarter throughout the year, according to the report.

Hacked OPM data.jpg

Hacking was up again in this year’s report—a trend first noted in the 2016 Breach Barometer, authors of the study say. Hacking incidents were constant throughout the year last year, with a total of 222 incidents, affecting 11 million patient records and comprising 44 percent of all breaches. This was up from 178 hacking incidents in 2017, which affected 3 million patient records.

“Keep in mind, it’s not just hacking that’s a problem,” says Robert Lord, co-founder and chief strategy officer of Protenus. “A huge portion of breaches are caused by insider threats, or those persons who have been granted access to patient information, but who abuse it. Lord estimates that one quarter to a third of healthcare breaches are caused by insiders, even though hacking often gets the most media attention.

Leadership accountability is the No. 1 way to prevent breaches, and “that has to start with the c-suite and the board,” Lord says. Organizations need to back up their dedication to cybersecurity by allocating appropriate funding. Cybersecurity usually gets less funding than other priorities, he says. Finally, a solution to preventing breaches needs to be grounded in a policy dimension—at the state and federal level.

Lord notes that a great lesson from this year’s breach report—and one that applies to all types of institutions—is the fact that breaches can go undetected for years. This emphasizes the importance of reviewing 100 percent of transactions using artificial intelligence and proactively reducing risk through healthcare compliance analytics.

Besides hacking and insider incidents, there were also 61 breaches resulting from theft in 2018, affecting 771,656 records, in addition to 11 incidents involving missing or lost records, affecting 23,559 patients records. There were also 67 incidents that couldn’t be categorized because there was not enough information to classify them, the report found.

For reprint and licensing requests for this article, click here.