By Danika Brinda bio
Unfortunately as promised, 2017 brought many challenges to properly protecting patient information in healthcare. We saw a record number of data breaches in 2016 with cybersecurity being on a fast and furious rise. In 2017, the trend continued with many healthcare organizations being hit with different cybersecurity attacks, resulting in data breaches. However, on top of the increase in cybersecurity issues, many other reasons for data breaches emerged. A total of 340 large data breaches (500+ individuals impacted) were reported in 2017 impacting 4,977,655 individuals!
Some key highlights from the 2017 HIPAA data breaches
Healthcare providers continue to lead in the number of data breaches. This should come as no surprise as there are more healthcare providers than health plans and healthcare clearing houses in the United States. Of the 340 large data breaches:
- 274 were reported by covered entities (81%)
- 49 were reported from health plans (14%)
- 17 were reported from business associates (5%)
No healthcare clearing houses reported data breaches in 2017—which is interesting as they are also the only type of covered entity that was able to fully pass a HIPAA audit during the HIPAA audit program’s pilot program in 2012.
The total number of individuals impacted by large data breaches was 4,977,655, which is actually a decrease from 2016. The largest data breach of 2017 was due to an employee accessing information on approximately 697,800 individuals with no business reason to access the information. This definitely supports the need for continued employee education as well as auditing of access in electronic systems containing patient information.
Hacking/IT incidents
The category of Hacking/IT Incident was the biggest impact to the number of individual impacted at 3,442,748. The one key item in this picture is that hacking continues to impact the largest number of individuals with healthcare data breaches. In 2017, 69% of the total individuals impacting were due to Hacking/IT Incidents.
Five (5) types of data breaches occurred in 2017 with Hacking/IT Incidents topping the list with 140 data breaches. Unauthorized Access/Disclosure came in a close second with 119 data breaches. Healthcare continues to see a downward trend in the theft and loss breaches categories. Improper disposal came in last with only 11 data breaches (although this really should be 0)!
As usual, data breaches by location are all over the board. E-mail and network server topped the 2017 list of data breach locations, with paper coming in a close third. We must not forget to protect paper and films and properly destroy!
Business associates involvement
The last analysis is how did the business associates involvement play out in 2017. Of the 340 large data breaches reported, 18 were reported that a business associate was involved in the data breach!
Around the country
Other fun HIPAA Data Breach Facts from 2017:
- Top State for Data Breaches by Count – Texas (32 Large Data Breaches)
- Top State for Data Breach by Individuals Impacted – Kentucky (768,648)
- Hawaii, New Mexico, Wyoming, and Idaho had no large data breaches reported in 2017
Conclusion
So, now that we are off and running in 2018, if you don’t have your HIPAA compliance in order, now is the time to start! Don’t know where to start? The best place is to complete a complete HIPAA Privacy and Security Risk Analysis to know the areas where you do not have adequate safeguards or processes in place to help protected the confidentiality and security of patient information. This also helps to create a work plan for getting compliant.
Cheers to a great 2018!
