August was a regrettable month for healthcare data breaches. Over 8.8 million health plan member and patient files were stolen or exposed, totaling exactly 8,804,608 files. According to the latest segment of the Protenus Breach Barometer, the total number of healthcare files exposed or stolen this summer now exceeds 20 million.
In August, 44 breach reports were submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR), pertaining to 42 separate cases. This makes August the worst month so far this year for healthcare data breaches and the second worst in terms of the number of healthcare files exposed. Only June had more files breached (11,061,649). The total number of breaches reported so far in 2016 is currently 233.
The Breach Barometer indicates that one of the biggest threats to healthcare data security is employees. Employees were responsible for initiating 42.86% of the data breaches reported in August. Hacking – including ransomware attacks – was the second leading cause of breaches, accounting for 28.57% of cases. Theft and loss of devices containing PHI accounted for 11.9% of breaches. The cause of 16.67% of breaches is unknown.
In August, healthcare providers were the hardest hit, involved in 37 cases. Nearly one in five breaches involved a Business Associate (BA). Events involving BAs accounted for 47% of all breached files.
It is challenging to accurately determine how quickly covered entities are discovering data breaches since not all disclose the date of the breach, the date of discovery, and when patients are notified. Of the 13 data breaches included in the report that disclosed this information, 38% took more than 60 days to discover the breach, although some were able to discover a breach in 20 days.
According to the Health Insurance Portability and Accountability Act (HIPAA), covered entities have up to 60 days after the detection of a data breach to inform OCR and send breach notification letters to patients. In several cases, this delivery of breach notification letters is delayed.
Fortunately, several covered entities seem to be better prepared for breaches and were able to deliver notices well within the period permitted by the HIPAA Breach Notification Rule.
Covered entities in 20 states reported breaches in August, with California being the worst hit, reporting six cases.