Hacking and insider-related incidents behind the majority of health data breaches reported in January

The majority of breached patient records in January were due to hacking and insider-related incidents, according to a report by Protenus, which analyzed the 37 health data breaches reported to the Office for Civil Rights (OCR) in January. The hacking incident which had the biggest impact occurred at Oklahoma State University Center for Health Sciences, where an unauthorized third party gained access to the computer network, and thus access to Medicaid patient billing information. The breach, which affected 279,865 individuals, was discovered on November 7, 2017 and letters were mailed out to affected patients January 5. This incident is responsible for 59% of January’s total reported breached patient records, Protenus said.

The Protenus report found that 32% of all breaches reported in January were due to insider-related incidents, 30% involved hacking, 22% were due to loss/theft, and 16% were unknown.

 The types of entities reporting breaches in January involved:

• Healthcare providers (84%)
• Business associates/third-party vendors (5%)
• Other: business or health exchange (8%)
• Health plans (3%)

On average, the days between a breach being discovered and reported was 252 days. Meanwhile, the days between discovery and disclosure were tracked at 96 days average. Most organizations discussed in the report that experienced a large breach, one affecting 500 or more individuals, reported the breach to OCR within the 60-window mandated by HIPAA, Protenus found.