Healthcare insiders were most likely to snoop on family members—a whopping 77.10 percent of privacy violations in the first quarter.
Snooping on fellow co-workers was the second most common insider violation, followed by snooping on neighbors and celebrities, according to proprietary nonpublic data collected by Protenus, an AI platform used to analyze access to patient data inside electronic health records.
In the largest breach disclosed in first quarter, an unauthorized third-party gained access to an Oklahoma-based healthcare organization’s network that stored patient billing information for 279,856 patients.
Although Protenus did not disclose the name of the organization, this appears to be a reference to the breach at the Oklahoma State University Center for Health Sciences (OSUCHS).
The center said in January that it learned that there had been unauthorized computer network access by a third party on November 7, 2017, and the third party removed folders containing Medicaid data from the network on November 8.
Medicaid numbers, healthcare provider names, dates of service, and limited treatment information may have been in the server folders, along with one Social Security number. Medical records were not on the server, OSUCHS stressed.
If healthcare employees breach patient privacy once, there is a greater than 20 percent chance that they will breach it again in three months’ time, and there is a greater than 54 percent chance they will do it again in one year, according to Protenus data.
Healthcare organizations accumulate risk that compounds over time when proper detection, reporting, and education do not occur, according to Protenus.
The Breach Barometer found that it takes healthcare organizations an average of 244 days to detect a breach once it has occurred.
For 2017, the Breach Barometer found that 5.6 million patient records were compromised in 477 total breaches.
Of the 477 reported incidents in 2017, 379 involved healthcare providers, 56 involved health plans, 23 involving business associates or third parties, and 19 involved some other type of covered entity such as schools or law firms.
Breaking down the 477 incidents last year by type, 37 percent involved insiders, 37 percent involved hacking by outsiders, 16 percent involved loss or theft, and 10 percent were unknown.
There were 176 insider-related incidents, affecting 1.7 million patient records. There were 102 incidents involving insider error in 2017, and 70 incidents involving insider wrongdoing.
In one case of insider wrongdoing, a hospital employee snooped on patients’ information for 14 years before the breach was discovered. The breach affected 1,100 patient records and remained undetected until one of the patients called in with a complaint.
“This is an unfortunate example of how detrimental insider threats can be for a healthcare organization. This entity will now face a multitude of costs associated with a breach in addition to already taking additional measures to further secure their patients’ sensitive medical information,” the report observed.
Protenus found that healthcare hacking incidents involving ransomware or other types of malware doubled from 2016 to 2017. There were 64 hacking incidents involving ransomware or other types of malware last year, compared to 30 incidents in 2016.
Theft was also an issue, with 58 breaches affecting 218,000 patient records.
It took on average 308 days for an organization to discover a breach, up from 233 days in 2016. At the same time, it took 73 days on average to report a breach to HHS once it was discovered, significantly down from the 344 days on average to report to HHS in 2016, the report noted. These numbers are surprising, given that the HIPAA Breach Notification Rule requires that data breaches affecting 500 individuals or more must be reported to HHS within 60 days of discovery.
“In general, healthcare entities are able to detect hacking incidents quicker than insider incidents, but hackings tended to have longer gaps between the discovery of the breach and reporting it. This may be due, in part, to law enforcement officials asking organizations not to disclose the breach publicly as they can continue their investigation,” the report observed.
Original article by Fred Donovan
This post was curated with edits by Gordon Fletcher, Principal Consultant(Engineering & Mobile Technology) at Compumagick Associates can be reached at https://www.compumgickassociates.com/contact, @compumagick