Breaches of patient privacy appear to be on the rise in the first half of 2019 with an alarming number of records affected by security incidents: 31.6 million.
That's more than double what the healthcare industry experienced throughout the entire year of 2018 with 14.2 million patient records affected by breach incidents, according to a breach report from Protenus and DataBreaches.net.
So far in 2019, there have been 285 breach incidents disclosed to the U.S. Department of Health and Human Services or the media from January to June 2019. Details were disclosed for 240 of these incidents, affecting nearly 32 million patient records, Protenus found.
There continues to be at least one health data breach per day, a trend Protenus first reported in 2016.
The single largest breach in the first half of 2019 was a hacking incident affecting over 20 million patient records that involved American Medical Collection Agency, a third-party billing collections firm.
The victims of the massive AMCA breach include Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories. It's estimated that the number of patients' data potentially exposed by the breach is now over 22 million. The incident was discovered when patient data was found for sale on the Dark Web.
Hacking was the cause of 60% of the total number of breaches throughout the first half of the year, affecting 27.8 million patient records.
Insiders were responsible for breaching more than 3 million patient records and 20% of total breaches so far in 2019. Insiders have legitimate reasons to have access to electronic health records, making it easier for inappropriate accesses to go under the radar.
Insider-related incidents are routinely reported to have longer than average detection times, making it imperative for healthcare organizations to utilize advanced methods for detecting inappropriate accesses to patient data, the report said.
Of the 67 health data breaches for which data was disclosed, it took an average of 214 days to discover a breach had occurred. The median discovery time was 50 days.
Protenus uncovered two insider-related incidents disclosed in the first half of the year where it took the organizations over five years to discover the breaches.
The substantial number of insider-related incidents should serve as a reminder for healthcare organizations to prioritize routine training and 100% activity auditing, the Protenus report said.
"Recurring education is instrumental in ensuring healthcare employees are aware of common threats to patient privacy and how to prevent them, helping reduce to reduce risk across the entire organization. Auditing and documentation is essential to hold individuals accountable to this training," the report authors wrote.
About two-thirds of health data breaches in 2019 (72%) were disclosed by healthcare providers and health plans disclosed about 11% of breach incidents so far this year.
Business associates or third-party vendors were responsible for only 9% of health data breaches but these breaches affected 23 million patient records. Hacking appears to be a significant challenge for third-party vendors as nearly half of the breach incidents so far in 2019 involved hackers, the report said.
The findings reinforce the need for healthcare privacy and security officers to have full visibility into how their data is being accessed in order to prevent these breaches from occurring, saving organization and patients significant post-breach costs.