Over 41 million patient records were breached in 2019, with a single hacking incident affecting close to 21 million records.
Healthcare data breaches in 2019 almost tripled those the healthcare industry experienced in 2018 when 15 million patient records were affected by breach incidents, according to a report from Protenus and DataBreaches.net.
Protenus, a healthcare compliance analytics firm, analyzed data breach incidents disclosed to the U.S. Department of Health and Human Services or the media during 2019.
There also has been an alarming increase in the number of breaches of patient privacy since 2016. Four years ago, there were 450 security incidents involving patient data, and that jumped to 572 incidents in 2019.
This number is likely to be a huge underestimate, as two of the incidents for which there were no data affected 500 dental practices and clinics and could affect significant volumes of patient records, Protenus reported.
There continues to be at least one health data breach per day, a trend Protenus first reported in 2016.
Here are three major cybersecurity trends Protenus found:
1. Hacking incidents surge
It appears hacking incidents, particularly ransomware incidents, are on the rise—hacking was the cause of 58% of the total number of breaches in 2019, impacting 36.9 million patient records
And one disturbing trend: Hackers are getting more creative in how they exploit healthcare organizations and patients alike.
In 2019, there were incidents of hackers attempting to extort money from patients whose records were exposed, not just the affected healthcare organization. In one incident in Florida, hackers sent ransom demands to a number of the affected patients, “threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met," Protenus reported.
2. One massive data breach
The single largest privacy incident reported last year was a massive security breach at American Medical Collection Agency (AMCA), a third-party billing collections firm. At least four clinical labs, including Quest Diagnostics and LabCorp, were impacted by AMCA's security breach which, to date, exposed the sensitive data of 21 million patients.
The breach was discovered when analysts discovered patient information including dates of birth, social security numbers and physical addresses, for sale on the dark web, according to Protenus.
In the aftermath of the breach, AMCA's parent company, Retrieval-Masters Creditors Bureau, voluntarily filed for Chapter 11 bankruptcy protection in the Southern District of New York in June.
3. Staff members pose major security risk
Staff members inside healthcare organizations were responsible for breaching 3.8 million patient records in 2019, up from 2.8 million records in 2018.
The report characterized insider incidents as either human error or insider wrongdoing, which includes employee theft of information, snooping in patient files and other cases where employees appeared to have knowingly violated the law.
As one example, the report highlighted an incident where a nurse is suspected of gaining access to patient information and providing the data to a third-party for fraudulent purposes. It is estimated that 16,542 patients could have been affected over the course of almost two years before discovery. The investigation is still ongoing.
Phishing attacks also continue to plague healthcare. Hospital employee education and training to detect and not fall victim to such attacks are imperative to get ahead of the hacking incidents, the report said.
"Hackers are also using credential-stuffing attacks, making it increasingly important to train employees not to reuse passwords across work settings and personal accounts," Protenus wrote.