Many people will be glad to see the back of 2016. It has been a difficult year, especially for healthcare organizations. Ransomware attacks have increased, hacking incidents are up, and more data breaches have been reported this year than in any other year since records started to be kept by the Department of Health and Human Services’ Office for Civil Rights (OCR).
The year is certainly not ending well. November saw the highest number of healthcare data breaches of any month in 2016, including August; a particularly bad month for the healthcare industry when 42 protected health information (PHI) breaches were reported by covered entities.
However, November’s total was 35% higher than August and 60% higher than October, according to the November Breach Barometer Report from Protenus. Last month, 57 healthcare data breaches reported which is almost two incidents per day.
Fortunately, the breaches that were reported were relatively small and the downward trend in the number of exposed/stolen records continued for the second month in a row. In total, 458,639 healthcare records were exposed in November, down 317,894 from the previous month.
November was something of an atypical month due to the nature of reporting of healthcare data breaches. Had the data breaches at Ambucor Health Solutions and EMR4All/Rehab Billing Solutions been reported as single breaches, the breach total for the month would have stood at 39. Still a particularly bad month, but not as bad as August.
As it was, the incidents were reported to OCR separately by each organization that was affected. There were 11 incidents reported by organizations impacted by the Ambucor Health Solutions breach and a further 9 reported by entities affected by the breach at EMR4All/RBS, according to DataBreaches.net, which provided the data for the Protenus report.
Recent surveys have suggested IT professionals are more concerned about insider breaches than cyberattacks by hackers and with good reason. The Breach Barometer report shows how serious the threat of insider breaches is. In November, 54.4% of healthcare data breaches were caused by insiders. 17 breaches were accidental breaches by healthcare employees and 14 were the result of malicious actions by employees with access to PHI.
There were 9 incidents that involved hackers, which was an improvement on October when 14 incidents were attributed to hacking. Ransomware was involved in 3 security breaches reported in November. TheDarkOverlord, who has previously attempted to extort money from a number of healthcare providers after stealing their data, was involved in one incident.
Healthcare providers once again were the worst hit, registering 40 incidents – 70% of incidents – followed by health plans with 11. Business associates reported three breaches, although they were involved to some degree in at least 44% of the breaches reported in November.
Protenus calculated the average time taken to report incidents to OCR to be 135 days from the date of discovery. 65% of breaches were reported after the 60-day window allowed by the HIPAA Breach Notification Rule, most of which were entities affected by the Ambucor breach. The breaches in November were also widespread, with affected entities based in 24 different states.
According to Databreaches.net, the entities involved in the breaches in November were:
Entity
Entity Type
Aetna Signature Administrators
Business Associate
AON Hewitt
Business Associate
Austin Pulmonary Consultants
Healthcare Provider
Bay Sleep Clinic
Healthcare Provider
Berkshire Medical Center
Healthcare Provider
Best Health Physical Therapy, LLC
Healthcare Provider
Biomechanics LLC
Healthcare Provider
Briar Hill Management
Business Associate
Briar Hill Management
Business Associate
Broward Health: Broward Health Imperial Point
Healthcare Provider
Camas Center Clinic, Kalispel Tribe of Indians
Healthcare Provider
Carolina Cardiology Consultants (Greenville Health System)
Healthcare Provider
Charleston Area Medical Center
Healthcare Provider
CHI Franciscan Health
Healthcare Provider
Cleveland Clinic Akron General
Healthcare Provider
Command Marketing Innovations
Business Associate
Conemaugh Physician Group Cardiology
Healthcare Provider
Consultants in Neurological Surgery, LLP
Healthcare Provider
Darlingten
Business Associate
Darlingten
Healthcare Provider
EMR4All/RBS
Business Associate
Eye Institute of Marin
Healthcare Provider
GHI (Emblem Health)
Health Plan
Glendale Adventist
Healthcare Provider
Harrisonburg OB GYN Associates, P.C.
Healthcare Provider
Horizon BCBS & UnitedHealth Group
Health Plan
Horizon Blue Cross Blue Shield of New Jersey
Health Plan
HP Enterprise Services, LLC
Business Associate
Indiana Family and Social Services Administration -Indiana Health Coverage Program
Health Plan
Irvine Company
Business Associate
Kaiser Foundation Health Plan
Health Plan
Kaiser Permanente Health Plan – N. Cal
Health Plan
Kaiser Permanente Health Plan- S. Cal
Health Plan
KinetoRehab Physical Therapy, PLLC
Healthcare Provider
La Gloria Pharmacy
Healthcare Provider
LCS Westminster Partnership IV, LLP d/b/a Sagewood
Healthcare Provider
Lebanon Cardiology Associates, PC (now known as WellSpan Cardiology)
Healthcare Provider
Lenox Hill Heart and Vascular Institute
Healthcare Provider
Lister Healthcare
Healthcare Provider
Louisiana Health Cooperative, Inc. in Rehabilitation
Health Plan
Luque Chiropractic
Healthcare Provider
Main Line Health
Healthcare Provider
Managed Health Services
Health Plan
Marin Medical Practice Concepts, Inc.
Business Associate
New Mexico Heart Institute
Healthcare Provider
North Texas Heart Center, P.A
Healthcare Provider
OC Gastrocare
Healthcare Provider
OptumHealth New Mexico
Health Plan
Pikeville Medical Center
Healthcare Provider
Pinellas County Board of County Commissioners
Health Plan
Primerica
Business Associate (Financial Services)
Seguin Dermatology
Healthcare Provider
Stony Brook Internists, University Faculty Practice Corporation VA Eastern Colorado Health Care System
Healthcare Provider
Unnamed cleaning service
Business Associate
Unnamed vendor
Business Associate
Unnamed vendor + UPS
Business Associate
Vanderbilt U. Psychological & Counseling Center
Healthcare Provider
Vascular Surgical Associates
Healthcare Provider
Vein Specialists of Northwest Georgia
Healthcare Provider
Vision Care Florida, LLC
Healthcare Provider
WADA and USADA
Anti-Doping Agency
Wal-Mart Stores, Inc.
Healthcare Provider
Washington Department of Social and Health Services- Aging and Disability Services
Healthcare Provider
Watsonville Chiropractic (David W. Christie, D.C.)
Healthcare Provider
Wentworth-Douglass Hospital
Healthcare Provider
Young Adult Institute, Inc.
Healthcare Provider
The post November 2016 Worst Month for Healthcare Data Breaches: 57 Incidents Reported appeared first on HIPAA Journal.