The healthcare data breach that took 14 years to uncover

For the first time this year, outside hacks surpassed insider breaches both in frequency and in the total number of affected patient records.

In July, 17 of the 36 breach incidents disclosed to HHS, the media or a state were hacking incidents, affecting 516,053 patient records, according to security firm Protenus.

That’s almost 21 times more patient records than breached by insiders.

There were 10 hacking incidents in which ransomware was specifically mentioned as the cause of the health data breach. 

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

The largest single breach reported last month involved 300,000 patient records in a ransomware incident.

That breach took place at the Women’s Health Care Group of Pennsylvania: A server and workstation located at one of its 45 practice locations was infected by a virus designed to block access to system files.

“As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017,” the organization said in a statement.

Data put at risk included patient names, birth dates, social security numbers, pregnancy histories, blood type information and medical diagnoses.

RELATED: Healthcare data breaches haven’t slowed down in 2017, and insiders are mostly to blame

But one internal breach in the July lineup stands out: It had been going on for 14 years at a state-owned hospital before coming to light.

In response to a patient complaint, an investigation found that an employee at Massachusetts’s Tewksbury Hospital appeared to have accessed that patient’s records without a good reason to do so. “This discovery led to a broader review of the employee’s use of the electronic medical records,” the Massachusetts Department of Health and Human Services said in a statement.

The agency found that the employee “appeared to have inappropriately accessed the records of a number of current and former Tewksbury Hospital patients.”

RELATED: Hospital IT execs see employees as their biggest security threat

The breach affected 1,100 patient records from 2003 through May 2017 and included names, addresses, phone numbers, dates of birth, gender, diagnoses or other information about medical treatment at Tewksbury Hospital. For some individuals, it may also have included a social security number.

It’s by far the longest undetected breach ever included in one of its reports, says Protenus, which calls it “extremely worrisome.” 

“This is a prime example of why healthcare needs to be much more proactive in detecting inappropriate access to patient information,” the Protenus report says. “This organization will now face a multitude of costs associated with a breach, an unfortunate event that can now serve as a learning experience for the rest of the industry.”