Vulnerable populations included in the 157K breached patient records due to insider-error
The month of October continued the recent trend of hacking incidents outweighing insider incidents. However, insider incidents affected a substantially larger amount of patient records, which included vulnerable populations. Vulnerable populations are a group of patients who, due to their race, age, socioeconomic status, or specific diagnosis can often receive worse patient outcomes due to factors outside their control. These patients are already fighting an uphill battle to get the care they need while feeling safe to divulge their most sensitive information to their care providers. The healthcare industry should make sure extra precautions are implemented in order to make sure they get the care they need and deserve. The average time it took for healthcare organizations to discover a breach has increased significantly from the last two months, as several incidents went undiscovered for more than a year with one incident taking almost three years to be detected.
The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.
Receive our Breach Barometer each month to stay on top of the breaches affecting healthcare.
Findings for October 2017
Throughout 2017 there has been a consistent trend of at least one health data breach per day and unfortunately, October has proven to be no exception. There were 37 breach incidents either reported to HHS or disclosed to the media. We have numbers for 29 incidents, affecting 246,246 patient records. The single largest incident for which we have numbers involved approximately 150,000 patient records. It’s important to note that this number is based on an estimation and it’s still unclear what the total affected patients records will be one the investigation is complete.
Insider-Error Accounts for Majority of Breached Records
Over the past several months, the number of hacking incidents has outweighed the number of insider incidents. In general, October continued this trend, but differed in one aspect: although there were more hacking incidents, insider-error incidents accounted for 65% of all affected patient records.
There were 13 hacking incidents, representing 35.1% of this month’s health data breaches. We have numbers for 10 of those incidents, which affected 56,837 patient records. Two incidents specifically mentioned ransomware as the cause of the breach, two incidents specifically mentioned phishing, and three incidents involved extortion (although not all the organizations have acknowledged or reported these breaches). TheDarkOverlord was involved in all three of the extortion incidents.
Insiders were responsible for 29.7% of all incidents in October (11 incidents), and five of those incidents were the result of insider-error. We have numbers for three of these insider-error incidents, affecting 157,737 patient records. One of the insider-error incidents, that affected 6,231 patient records, included a flyer being sent to patients about an opportunity to participate in an HIV research project. The healthcare organization later learned that the words “Your HIV Detecta” was visible through the envelope, potentially making public very sensitive patient information. Another incident occurred when the organization uncovered an improperly secured AWS S3 bucket that was exposing protected health information (PHI). 316,363 PDF reports, which equates to approximately 150,000 patient records, consisted of weekly blood test results that were used to monitor and adjust the patients’ Coumadin (Warfarin) dosage. The third insider-error incident was due to a misconfigured AWS bucket which resulted in the unsecure storage of PHI, affected 1,506 records. These incidents serve as a reminder for healthcare organizations to conduct routine training for employees on how to properly handle and distribute information to patients, without breaching their privacy. This is especially the case when working with vulnerable populations, as patients with diagnoses like HIV have a lot more at stake if their information is made public — much more sensitive than their credit card information, such a breach be catastrophic to their entire way of life.
The recent insider-error incidents represents a drastic increase from previous months in the amount of patient records affected by insider-error incidents. For example, there were only 24,958 patient records affected by insider-error in September and 26,831 records affected in August. Organizations need to ensure that they are putting proper measures in place and providing appropriate employee training in order to minimize the potential for these types of incidents to occur. Six incidents were the result of insider-wrongdoing. We have numbers for four of these incidents, affecting 1,651 records.
It is also important to note that there were four incidents of physical theft in October, affecting 16,533 records and two incidents of records being lost or went missing, affecting 3,994 records. Finally, four incidents were the result of third-party or business associates (BA) — there may have been more incidents, but not enough information was provided to make a determination since the HHS breach tool has a tendency to underreport incidents involving BA’s. We have information on three of these incidents, affecting 4,104 records.
Types of Entities Disclosing
Of the 37 health data breaches in October, 29 of them (78.4%) involved a healthcare provider, seven of them (18.9%) involved a health plan, and one of them (2.7%) involved a school.
It is also worth noting that there were four health data breach incidents involving paper or film records. We have numbers for three of these incidents which affected 7,786 records. There may have been more incidents in which paper or film records were involved, but again, some reports were lacking details that would have enabled us to make that determination.
Average Time to Breach Discovery Remains Troublesome
Of the reported breach incidents for October (we have numbers for six incidents), it took an average of 448 days (median: 304 days) for a healthcare organization to discover a data breach. This represents a consistent trend of healthcare organizations struggling to discover data breach incidents until months or even years after they occur. One incident took 1157 days (over three years) from when the breach began to when it was discovered. In this case, an employee defrauded the state of almost $1 million by falsely claiming that she was providing children’s speech therapy services from September 2011 (when she left the company) to November 2014. This incident demonstrates how damaging an insider breach can be and emphasizes why organizations need to proactively work to detect these incidents as soon as they occur to mitigate the impact these malicious insiders can have on the organization and its patients.
It also took an average of 175 days from when an incident was discovered to when it was disclosed to either HHS or the media. Although this number would seem to indicate that organizations have done a poor job meeting the 60-day window required by HHS, the median was only 59 days. There were several incidents that went unreported for a long period of time, and this explains why the average and the median are so drastically different. One incident, for example, was not reported for 1081 days (almost three years)! This breach involved a former nurse stealing the information of nursing home patients and using it to file over $1 million in false tax claims.
Breach Incidents By State
23 states are represented in this month’s 37 health data breach incidents. California and Florida had the most health breaches in October, with 4 incidents in each state. New York and Texas followed closely behind in second with 3 incidents each. It should be noted that California routinely has a relatively high number of breach incidents, but this could be due to higher reporting entity and patient volume, and/or more robust reporting.
Conclusion
Unfortunately, the healthcare industry is still plagued by a multitude of threats to patient privacy. Both external and internal actors continue to threaten patient information and these breaches have often gone undetected for years, affecting thousands of patients. Our hope is that healthcare will begin to have conversations on how the industry can better protect the privacy of all patients, and specifically devote attention to vulnerable populations. These patients traditionally have a difficult time trusting their caregivers out of fear that their very private diagnoses will be made public. When incidents like the one mentioned above occur, it can cause huge setbacks in getting these patients the routine care they need. Let this serve as a call-to-action for healthcare to make the patient privacy of our vulnerable populations an increasing priority in the new year.
If you’d like to read more about the details pertaining to specific breach incidents, you can find reports on the Databreaches.net website.
