Data breaches in health care are becoming “routine” with millions of patient records affected in the second quarter this year, according to the quarterly Breach Barometer report from Protenus, a data analytics firm specializing in patient privacy.
From April to June 2018, there were 143 data breach incidents reported to the U.S. Department of Health and Human Services (HHS) or the media. Details provided for 116 of the 143 incidents show they impacted more than 3.1 million patient records, according to the Protenus report.
This is almost triple the patient records impacted in the first quarter (1.13 million.) Protenus also finds that 29.71 percent of privacy violations resulting in a data breach were repeat offenses. “On average, if an individual health care employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three months’ time, and a greater than 66 percent chance they will do so again in a year’s time.
In other words, even minor privacy violations that are not promptly detected and mitigated have the potential to compound risk over time,” according to the report. Investigators also have a difficult time keeping up with the volume of “insider threats” when it comes to patient data. In fact, due to the volume of electronic access to health care data at hospitals and other providers on a daily basis, one investigator monitors an average of nearly 4,000 employees.
The average number of employees with privacy violations increased from 5.08 per 1,000 in the first quarter to 9.21 in the second quarter. Whether inadvertent or intentional, these internal violations are a big risk to patients’ privacy. And, employees in the health care industry are often looking for information on people they know when they commit a violation.
Approximately 71 percent of insider related breaches in the second quarter included employees accessing records on their family members, according to the Protenus report. Outside of internal risks, hacking continues to lead to data breaches. Hacking incidents nearly doubled in the second quarter with 52 reported between June and April.
Health care providers and their business associates, including third-party debt collectors, need to know the privacy rules and take care when accessing patient data, whether medical or financial, to avoid violation of the Health Insurance Portability and Accountability Act (HIPAA.) Twenty-six incidents reported in the second quarter involved business associates or third-party vendors working with health care providers, affecting nearly 800,000 patient records, Protenus reports.
As data security risks in health care increase, consumers are increasingly anxious about their privacy as well. A recent survey shows almost half of U.S. adults participating are “extremely or very concerned about their health care data security, such as diagnoses, health history and test results,” according to healthsecurity.com.
So, what can providers and their business associates do to get ahead of data security risks and protect their systems, patients and consumers? Protenus reports best practices are critical for organizations that allow an audit of every employee’s access to patient data. “Full visibility into how their data [are] being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization.”
Read the complete Breach Barometer report from Protenus here: https://bit.ly/2OYOmmW. See Data Watch for a graph from this report.