Health care organizations in the United States lost far fewer patient records in 2016 due to cyberattacks, compared to the year before, but suffered through almost twice as many data breaches during the year.
According to a report by Protenus, 27.3 million patient records were compromised that year, down from 113 million in 2015. With that said the health care industry averaged more than one data breach per day in 2016 for a total of 450, up from the 253 breaches that took place the prior year. Protenus noted that the total figure of lost records is not complete as it only had numbers for 380 of the reported breaches.
The reason for the dramatic drop was straight forward and has nothing to do with improved cybersecurity at these facilities.
“While it may seem that there is a significant drop between the total patient records affected by health data breaches from 2015 to 2016, most of that difference is attributable to a single event. Anthem was the largest health data breach of 2015, affecting 80 million patient records. Once this single breach is removed, the side-by-side comparison between 2015 and 2016 isn't drastically different, 33 million vs 27 million respectively,” Protenus CEO Robert Lord said to SC Media.
Protenus' data showed that while the number of breach incidents varied between 21 and 58 per month, but the vast majority of patient records were compromised in June and August when 10.8 million and 9.1 million records, respectively, were affected. However, April and November were the months when the most incidents took place.
Banner Health had the dubious honor of being the most breached organization when it announced in August that 3.6 million records were compromised in a breach that was first noticed the previous month.
The source behind the breaches were almost evenly split between insider threats, both human error and criminal, and those executed by external forces and included some type of hacking.
About 43 percent, or 192, of the breaches were caused by people acting from within. In Ninety-nine of these cases human error or mistakes were the cause of the problem, while the remainder were all the result of intentional wrongdoing, the report states.
Insider mistakes actually proved more harmful than intentional criminal activity. The average number of records breached per unintentional breach was 17,642, while illegal insider actions caused and average of 5,729 records to be compromised.
As in every other sector that suffered cybersecurity issues in 2016, ransomware also played a role in the health care industries problems.
Protenus said 26.8 percent, or 120, of all breaches were due to hacking attacks of one type or another. Of the 120 cases 30 involved ransomware and another 10 included the health care group being involved in an extortion attempt that did not have a ransmware component. Protenus only had the lost record figures for 99 of the 120 incidents, but 23.7 million of the 27 million records breached in 2016 were covered in those 99 cases.
Protenus also believes the number of ransomware cases was severely under reported.
“We suspect that the 30 cases are a significant underestimate due, in part, to at least two factors. First, HHS's public breach tool only codes incidents as “hacking” but does not provide any information as to whether a hack involved ransomware. Second, many entities did not realize that they should be reporting these incidents until July, when HHS issued guidance on whether ransomware incidents are to be using either ransomware or extortion methods without the malware component. These resulted in 23.7 million, or 87 percent, of the record being breached,” the report stated.