6 min read

Third Parties Prove Persistent Healthcare Data Risk

George V. Hulme

April 22, 2020

Third Parties Prove Persistent Healthcare Data Risk

According to the Protenus Breach Barometer report, there’s been a steady increase in healthcare related data breaches over recent years. Last year, there were 572 healthcare data breaches within U.S.-based healthcare industry. That’s up from 450 in 2016. When it comes to patient records leaked, they rose as well, reaching 41 million in 2019 from 15 million in 2018. According to the report, at least since 2016, there has been one healthcare data breach reported a day.

The Protenus Breach Barometer report lists the twelve largest healthcare data breach incidents in 2019. While eight of the twelve breaches involved healthcare providers, and totaled just over 5 million records, a health plan provider at nearly 3 million records, and three business associate breaches that surpassed 22 million records. In fact, just one business associate breach reached nearly 21 million records.

Interestingly, one breach was due to theft, nine breaches due to “hacking,” two breaches to insider error, and one breach due to theft. 

Interestingly, and a bit of good news, is that insider healthcare data breach incidents have decreased every year since 2016, down from 192 that year to 110 in 2019. According to the report, the decrease can be largely attributed to the adoption of healthcare compliance analytics and better employee training and awareness.

The report concluded that even with the decrease in the number of insider data breaches, they still remain a significant risk. One such breach went undetected for seven years. “In this particular incident, sensitive patient information was viewable to external audiences outside their system network. Potentially exposed information included patient name, medical record number, insurance information, appointment times, and procedure information. At this time, it does not appear this data has been used maliciously and the organization has corrected the system configuration. Several other insider-related incidents went undiscovered for three or more years, putting significant amounts of patient data at risk,” the report said.

The report was clear to point out that while there were fewer insider data breaches, they are often more dangerous because insiders have legitimate access to sensitive and regulated patient data. The report authors cited one incident from last year when a nurse was suspected of providing data to outsiders in order to conduct fraud. “The Maryland-based healthcare organization discovered the breach when law enforcement reached out after the employee’s associate was arrested for an unrelated matter. It is estimated that 16,542 patients could have been affected over the course of almost two years (644 days) before discovery. Based on information provided by state and local law enforcement, the organization fired this employee and reported the incident to the Board of Nursing. The investigation is still ongoing,” the report said.

A study published in 2019, from provider CynergisTek, based on ratings from privacy and security assessments performed in 2018 at nearly 600 healthcare providers, evaluated the conformance with the NIST Cybersecurity Framework. The analysis found that organizations were, on average, only at a 47% conformance level to the NIST CSF controls and an average 72% conformance with the HIPAA Security Rule. According to CynergisTek, these findings are essentially flat year over year.

The report also found that insiders do a considerable amount of snooping on confidential data, with 74% of unauthorized insider access to patient records involving spying on household members, followed by accessing high profile persons’ patient data.

The survey also found that more than 60% of privacy assessments identified gaps in maintaining the necessary policies and procedures that guide staff in the proper management, usage and disclosures on the proper in managing all or some of these uses and/or disclosures of PHI.

When it came to third-party vendors — the source of 20% of beaches in the Protenus Breach Barometer report — the most common gaps include risk assessment, access management, and governance.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like