32M patient records have been breached in first half of 2019

Data breaches are a costly and detrimental experience for healthcare providers, and the prevalence of security breaches in the industry appears to be trending up. In the first six months of 2019, 32 million patient records have been breached in data security events, according to a new report from Protenus. By comparison, roughly 15 million patient records were breached in 2018.

The report, 2019 Mid-Year Breach Barometer, revealed that breached patient records in the first half of 2019 already doubled the total amount for all of 2018. In the first six months of the year, 285 incidents were disclosed to HHS or the media. Of those, 31.6 million patient records were affected in 240 incidents.

May 2019 stuck out during the first half of the year, with more than 21 million patient records breached during the month. The single largest breach of a medical collection agency in 2019 was reported that month, when the records were found for sale online. In this breach, which affected large companies including Quest Diagnostic, LabCorp and Optum 360, hackers possibly gained access to patients’ social security numbers, addresses and dates of birth.

However, not all breaches happened from hackers. Insiders at healthcare providers were responsible for nearly 21% of all breaches during the first half of 2019, or 60 incidents. This includes insider-error, without malicious intent, or insider-wrongdoing, such as theft of information. Of 47 incidents where details were disclosed, nearly 3.5 million records were breached.

More than 3.3 million records were breached as a result of insider error, the report found, underscoring the rising importance of training and education on cybersecurity in the healthcare space.

“The substantial number of insider-related incidents should serve as a reminder for healthcare organizations to prioritize routine training and 100% activity auditing and documentation for their workforce,” the report reads. “Recurring education is instrumental in ensuring healthcare employees are aware of common threats to patient privacy and how to prevent them, helping reduce to reduce risk across the entire organization."

Still, hacking remains the primary cause of breached records, including malware, ransomware and phishing.

Most of the breaches are also happening to healthcare providers––72% of reported incidents in the first half of 2019 came from a healthcare provider, while only 32 incidents were from a health plan, 26 by a business associate or third-party vendor and 22 by businesses and other organizations. Astonishingly, 35 breach incidents were related to paper records, even as the healthcare system has shifted to digital records.

With such a high prevalence of patient record breaches in healthcare, the issue of hacking and cybersecurity is still a major threat to players in the industry. In the case of one hack, the incident took 8.5 years to discover, the report found. The unauthorized access of patient records of an insurer and administrator of dental and vision benefits may have occurred as early as mid-2010, including sensitive personal information, tax IDs and other financial information. This hack affected nearly 3 million.

Out of 46 states represented in the disclosed incidents, California had the highest number of breaches so far in 2019, with 26 separate events. Texas followed, with 22, and Florida had 20 incidents.