The Protenus Breach Barometer shows over 41.4 million patient records were exposed by 572 security incidents in 2019, while hacking incidents surged and insider-related events decreased.
By Jessica Davis
February 19, 2020 – More than 41.4 million patient records were breached by 572 healthcare data breaches in 2019, as hacking surged. And it’s likely those estimates are vastly underestimated given two significant security incidents have yet to be reported, according to the latest Protenus Breach Barometer.
Protenus analyzed breaches reported to the Department of Health and Human Services, the media, or other sources. The researchers only had data for 481 of the 572 incidents. The two unreported incidents affected 500 dental offices and could impact a serious amount of patient data.
According to the report, there was a slight increase in reported breaches in 2019 than in the previous year and a serious jump in the number of impacted records. Just 15 million records were reported exposed in 2018.
“Despite innovations in healthcare compliance analytics, the healthcare industry has continued to experience an increase in the number of reported health data breaches, year over year, since Protenus started compiling statistics in 2016,” researchers explained.
“This is an alarming trend which should change as more organizations deploy advanced patient privacy monitoring systems that can prevent future incidents,” they added.
The American Medical Collection Agency breach was the largest seen last year, impacting about 21 million patient records from a wide range of covered entities, including Quest Diagnostics, LabCorp, BioReference, and Clinical Pathology.
The breach went undetected for about eight months and exposed a trove of personal data, including Social Security numbers, personally identifiable information, and physical addresses. According to researchers, the breach was discovered when analyst found the information for sale on the dark web.
Notably, hacking incidents were behind 58 percent of all healthcare data breaches in 2019 with 330 incidents, compared with 222 hacking incidents in 2018. Overall, hacking jumped 49 percent last year, an alarming trend that Protenus attributed to the increased creativity in the methods used to target healthcare organizations.
“In contrast to previous hacking incidents, current ransomware threat actors have taken to naming victims who do not pay the ransom demands, and then publicly dumping the data if they refuse to pay,” researchers wrote.
“To make matters worse, in 2019 there were incidents of hackers attempting to extort money from the breached patients, not just the affected healthcare organizations,” they added. “The healthcare industry should pay particular attention to these new types of threats in 2020.”
There was also a 20 percent decrease in insider-related incidents, which researchers attributed to the adoption of healthcare compliance analytics in in US health systems and improved employee education.
However, the number of records impacted by insider breaches did rise to 3.8 million this year, up from 2.8 million in 2018. In total, insiders were behind 19 percent of the total number of breaches in 2019, down from 28 percent the previous year.
“Even with the decrease in the number of insider incidents, they still pose a significant threat with one insider-related incident going undetected for over seven years,” researchers explained.
“While there were substantially fewer patient records breached by insider-wrongdoing, they are often more dangerous since employees with legitimate access to patient information can abuse their access with malicious intent, often undetected,” they added.
Moving forward, Protenus recommended healthcare organizations turn to advanced technologies like compliance analytics that can leverage AI to detect when insider inappropriately access patient data and can potentially prevent insider breaches.
Further, risk assessment and employee training are crucial to organizations getting ahead of the hackers, as well as ensuring they are testing their security measures to ensure effectiveness. Backups need to be separate from the main network, to ensure threats do not proliferate. Employee training is also key to preventing phishing attacks, as seen in an earlier study published in JAMA.
“In 2020, it’s vital that health systems make health data security a top priority, gaining insight into how patient data moves through the organization and the ability to differentiate between appropriate and inappropriate access to patient information,” researchers wrote.
“Armed with the latest information and utilizing the latest advances in technology, the healthcare industry can gain visibility into patient data access which will ultimately make their institutions more secure and further ensure patient trust,” they added.