The massive number of healthcare data breaches continues to mount as 2016 draws to a close.
An analysis of data from the OCR Breach Portal reveals that this year ranks near the all-time highest for the number of HIPAA violation cases since record keeping began in 2009.
What did we find?
The OCR’s portal lists all healthcare data breaches reported since 2009 that affected more than 500 people. The breaches are of PHI (protected health information), which healthcare organizations are required to protect under HIPAA.
Below, we dig into the breach data published by OCR to find trends that matter in 2016.
The rate of data breaches in 2016 is on pace to match the greatest number reported in healthcare history.
Table 1 below shows the cumulative number of PHI breaches, and number of individuals affected by these breaches by year, as reported on the OCR Breach Portal.
Table 1: OCR Healthcare Data Breaches, 2009 to Current |
||||||||
2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 01/01/16 - 10/26 | |
# of Breaches | 18 | 198 | 196 | 208 | 274 | 307 | 270 | 252 |
# of Affected Individuals | 134,773 | 5.5 million | 7.4 million | 2.8 million | 7.0 million | 12.7 million | 113.3 million | 14.3 million |
Between January 1 and October 26, 2016, 252 breaches were reported to the OCR. That’s an average of about 25 per month. With slightly more than two months left in the year, only 55 more breaches are needed to match the previous record set in 2014.
Over the same period, OCR received notice that more than 14 million people were affected by healthcare data breaches in 2016. That’s more than any year except 2015.
And 2015 was an exceptional year. Several of the largest data breaches in healthcare history were reported, including the Anthem breach that affected nearly 80 million records.
Whether or not 2016 will set new records remains to be seen. But one fact is clear: this year ranks among the top for healthcare data breaches.
More than 23,000 people received an email with a ransomware attachment after an unauthorized person gained access to the list on a system maintained by a business associate of Mayfield Clinic in Ohio.
The PHI compromised during the breach included the email addresses, according to OCR. Mayfield sent an email notification to affected individuals on the day of the incident, sent a second notice two days later, posted a notice on its website, and notified the media.
Mayfield Clinic has since assessed its system controls and provided anti-scanning updates to its employees’ emails. It deleted the email addresses it maintained on its Business Associates’ systems, and discontinued the distribution of electronic newsletters.
Healthcare giant Bon Secours Health System announced that files containing information on about 655,000 patients were left freely available on the web for four days.
The oversight was blamed on one of the company’s vendors, R-C Healthcare Management, which made the files accessible via the internet while adjusting their computer network settings in April.
Bon Secours began an internal investigation and determined the divulged information may include patient names, addresses, social security numbers, health insurance names and numbers and bank account information. Customers were notified by letter. In response to the incident, Bon Secours is reinforcing its standards with vendors.
Ironically, in July, after the incident occurred but before it was reported, Bon Secours was recognized as one of the Most Wired by the America Hospital Association’s Health Forum. The designation measures how well a health care organization leverages information technology to increase the performance of value-based health care.
A laptop was stolen from a California Correctional Healthcare Services employee’s car in February 2016. It potentially contained the healthcare information of 400,000 patients of the California Department of Corrections and Rehabilitation who had been incarcerated between 1996 and 2004.
Employee Joyce Hayhoe said the response included, “corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards."
Seim Johnson, an accounting consulting firm that acts as a HIPAA business associate for 10 healthcare providers, reported a breach that may have affected nearly 31,000 individuals.
The breach stemmed from a stolen laptop that contained unencrypted demographic, clinical, and financial data on patients.
The employee who took the laptop and the company’s security officer were sanctioned. Employees were retrained about the security risks of portable devices.
Banner Health is Arizona’s largest healthcare provider, with 29 hospitals in 7 states. Hackers breached data affecting about 3.7 million of its patients, according to Banner’s statement.
The hack began with a breach of payment-card processing systems at several food and beverage retail stores at Banner locations. The breach spread to include health plan and patient information ranging from names, addresses, birthdates, and possibly social security numbers.
Victims include doctors, patients, beneficiaries, food and beverage customers, and health plan members.
Newkirk Products disclosed that one of its servers was accessed without authorization. Newkirk issues healthcare IDs to dozens of companies including Blue Cross and Blue Shield of North Carolina, Blue Cross and Blue Shield of Kansas City, and DST Health Solutions.
The breach affected about 3.3 million individuals, and is assumed to have started on May 21 and gone undiscovered until July 6.
The data accessed varied by each person’s plan, but may include patient names, mailing addresses, primary care providers, covered dependents, Medicaid ID numbers and more.
Newkirk established a dedicated website where clients can find information about the incident. A forensic investigation is underway, and the company offered offered free identity protection and restoration services to victims for two years.
In August, Valley Anesthesiology and Pain Consultants, Inc. notified 882,000 past and current employees, providers and patients that a third party may have gained unauthorized access to their computer system in March.
A forensics firm hired by the company could not confirm that the system was accessed, nor could they rule it out. The company chose to notify the individuals anyway.
Compromised information could include names, treatments, insurance identification numbers, social security numbers, professional license numbers, Drug Enforcement Agency numbers, and financial information including bank account numbers.
The company is contacting potentially affected individuals with information on how to protect themselves. It is also reviewing its security practices and strengthening its network firewalls.
Each breach reported to the OCR is classified by type. Types include hacking IT incidents, theft, loss, or unauthorized disclosure.
The location of the breached PHI is also listed. Options include laptops, network servers, desktop computers, email, paper, films, and other portable electronic devices.
Table 2 shows the types of breaches, and number of individuals affected by from Jan. 1 to Oct 26, 2016
Table 2: OCR Healthcare Data Breaches by Type, Jan 1 - Oct 26, 2016 |
|||||
Unauthorized Access/Disclosure | Theft | Loss | Improper Disposal | Hacking/IT Incident | |
Total # of Breaches | 105 | 47 | 11 | 4 | 84 |
Smallest # of individuals affected | 500 | 500 | 60 | 1,212 | 500 |
Largest # of individuals affected | 651,971 | 205,748 | 483,063 | 113,528 | 3,620,000 |
Total # of individuals affected | 1,443,645 | 869,216 | 531,426 | 118,594 | 11,388,868 |
Hacking/IT incidents are the most significant cause of compromised PHI. While many companies claim there’s no proof the information has been used for nefarious purposes, it makes sense to assume a hacker will eventually try to monetize stolen information.
The explanations provided for unauthorized disclosure often refer to human error. An example is Vancouver Radiologists PC, which reported that mammogram reminder cards were mislabeled, so patients received cards at their home addresses, but with the wrong names on the cards.
Thefts range from office robberies including that at Elite Imaging where a log-book with 1,457 patients’ names was stolen, to an office break-in at Associates in EyeCare P.S.C., where two laptops and an external drive that held the protected health information of 971 patients was stolen.
An example of loss was reported by Radiology Regional Center P. A., when 483,063 records were lost while the records were being transported to be incinerated. Several foot searches of the area led to the retrieval of most, but not all, of the records.
Community Mercy Health Partners reported improper disposal when a citizen discovered patient medical documents at a recycling center.
Whether by malicious hacking or human error, the personal information of millions of people is at risk due to negligence and unpreparedness by healthcare companies and their Business Associates.
Reporting records show that in some cases there is a striking delay between the time an incident occurs, the time an incident is detected, the time an incident is reported to OCR, and the time an incident is revealed to those potentially affected.
These ongoing breaches are a significant reminder that every healthcare company is also an IT company. If healthcare companies are not willing or able to take on this responsibility, they need to find a subcontractor that can secure their files. Opportunities for IT providers abound.