Healthcare data breaches continued to climb in 2017, but the number of affected patient records declined 80% as the industry managed to avoid a large-scale attack.
Still, analysts warned that 2017 may have been an off year for malicious actors who are “taking a breach before a resurgence of attacks in 2018,” according to an annual Breach Barometer report published by Protenus and DataBreaches.net.
A total of 477 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights last year, up slightly from the 450 reported in 2016, according to the report. Far fewer records were implicated: 5.6 million in 2017 versus 27.3 million in 2016.
Some additional takeaways from last year’s statistics:
- The largest reported data breach was less than 700,000 in 2017, a far cry from two breaches in 2016 that totaled almost 20 million records.
- Providers made up the vast majority of OCR reports at 80%. Health plans represented 12%.
- Insiders continued to be a major contributor to data breaches last year, including one incident that went undiscovered for 14 years. According to statistics compiled by Beazley Group, a cyber liability insurance provider, fraudulent instruction scams saw a fourfold increase across all industries in 2017, leading to losses as high as $3 million.
- Hacking and malware incidents increased 50% over the course of the year, according to Beazley, making up 22% of breaches in 2017. Accidental disclosure declined—a potential sign of better education and processes—but still led the way with 34%.
- Ransomware incidents more than doubled over the last year from 30 to 64, which may be due to an increasing number of attacks or better reporting from healthcare entities, according to Protenus.
- On average, organizations took a longer time to discover a data breach in 2017, climbing to 308 days compared to 233 days in 2016. But average reporting time fell significantly to 73 days on average, compared to 344 days in 2016—although still outside the 60-day window mandated by OCR.
Ransomware attacks have already generated headlines in the first month of 2018 involving Allscripts and Hancock Health. The Allscripts outage impacted approximately 1,500 small physician practices who were left without access to their EHR or claims submission applications, although the vendor noted that no patient records had been compromised.
As frustration mounted over the outage last week, Allscripts was hit with a class-action lawsuit alleging it failed to maintain the proper precautions to prevent a cyberattack.