32M patient records have been breached in first half of 2019

Data breaches are a costly and detrimental experience for healthcare providers, and the prevalence of security breaches in the industry appears to be trending up. In the first six months of 2019, 32 million patient records have been breached in data security events, according to a new report from Protenus. By comparison, roughly 15 million patient records were breached in 2018.

The report, 2019 Mid-Year Breach Barometer, revealed that breached patient records in the first half of 2019 already doubled the total amount for all of 2018. In the first six months of the year, 285 incidents were disclosed to HHS or the media. Of those, 31.6 million patient records were affected in 240 incidents.

May 2019 stuck out during the first half of the year, with more than 21 million patient records breached during the month. The single largest breach of a medical collection agency in 2019 was reported that month, when the records were found for sale online. In this breach, which affected large companies including Quest Diagnostic, LabCorp and Optum 360, hackers possibly gained access to patients’ social security numbers, addresses and dates of birth.

However, not all breaches happened from hackers. Insiders at healthcare providers were responsible for nearly 21% of all breaches during the first half of 2019, or 60 incidents. This includes insider-error, without malicious intent, or insider-wrongdoing, such as theft of information. Of 47 incidents where details were disclosed, nearly 3.5 million records were breached.

More than 3.3 million records were breached as a result of insider error, the report found, underscoring the rising importance of training and education on cybersecurity in the healthcare space.

“The substantial number of insider-related incidents should serve as a reminder for healthcare organizations to prioritize routine training and 100% activity auditing and documentation for their workforce,” the report reads. “Recurring education is instrumental in ensuring healthcare employees are aware of common threats to patient privacy and how to prevent them, helping reduce to reduce risk across the entire organization."

Still, hacking remains the primary cause of breached records, including malware, ransomware and phishing.

Most of the breaches are also happening to healthcare providers––72% of reported incidents in the first half of 2019 came from a healthcare provider, while only 32 incidents were from a health plan, 26 by a business associate or third-party vendor and 22 by businesses and other organizations. Astonishingly, 35 breach incidents were related to paper records, even as the healthcare system has shifted to digital records.

With such a high prevalence of patient record breaches in healthcare, the issue of hacking and cybersecurity is still a major threat to players in the industry. In the case of one hack, the incident took 8.5 years to discover, the report found. The unauthorized access of patient records of an insurer and administrator of dental and vision benefits may have occurred as early as mid-2010, including sensitive personal information, tax IDs and other financial information. This hack affected nearly 3 million.

Out of 46 states represented in the disclosed incidents, California had the highest number of breaches so far in 2019, with 26 separate events. Texas followed, with 22, and Florida had 20 incidents.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.