Unauthorized access blamed in more 2016 data breaches than hacking

The leading cause of healthcare data breaches so far this year is unauthorized access or disclosure, not hacking, according to data compiled by HHS’ Office of Civil Rights (OCR).

From January 1, 2016 through June 3, there were 114 breaches reported to OCR from providers, health plans, and their business associates, broken down by the following classifications:

  • 47 caused by unauthorized access or disclosure
  • 34 by hacking or IT incident
  • 26 by theft
  • Five by loss
  • Two by improper disposal

While unauthorized access was blamed in a greater number of incidents, hacking was responsible for the largest breach reported so far this year. A cyberattack aimed at Florida-based 21st Century Oncology affected more than 2.2 million patients. The company learned of the attack in November 2015, though it wasn’t reported to OCR until March 4 at the FBI’s request.

The largest breach classified as unauthorized access or disclosure was an incident involving the Washington State Health Care Authority, where an improper e-mail exchange between two employees exposed the data of more than 91,000 patients.

A report released by IBM earlier this year had warned the greatest cybersecurity threat in healthcare and other industries were "insiders" who could access company data remotely. 

OCR’s data also lists the location of the breached information, though multiple sources are listed in some of the 114 incidents. The most common location of breached information was paper or film records (cited in 31 incidents) followed by network server (23 incidents) and email (15 incidents).

""
John Gregory, Senior Writer

John joined TriMed in 2016, focusing on healthcare policy and regulation. After graduating from Columbia College Chicago, he worked at FM News Chicago and Rivet News Radio, and worked on the state government and politics beat for the Illinois Radio Network. Outside of work, you may find him adding to his never-ending graphic novel collection.

Around the web

Cardiovascular devices are more likely to be in a Class I recall than any other device type. The FDA's approval process appears to be at least partially responsible, though the agency is working to make some serious changes. We spoke to a researcher who has been tracking these data for years to learn more. 

Updated compensation data includes good news for multiple subspecialties. The new report also examines private equity's impact on employment models and how much male cardiologists earn compared to females.

When drugs are on the FDA’s shortage list, outsourcing facilities can produce their own compounded versions. When the FDA removed tirzepatide from that list with no warning, it created a considerable amount of chaos both behind the scenes and in pharmacies all over the country. 

Trimed Popup
Trimed Popup