According to a recent study of healthcare cyber security, there were 258 large breaches of protected health information (PHI) last year, and 113,208,516 patient health records were breached in total in 2015.
That’s an 897 percent increase in records breached from 2014 to 2015.
Redspin’s Breach Report 2015: Protected Health Information (PHI) also found that hacking attacks factored in nine of the 10 largest breaches last year and led to 98.1 percent of all compromised patient records.
“From 2009-2013, the primary cause of PHI breach was the loss or theft of unencrypted portable computing devices,” Redspin president Daniel W. Berger wrote in the report. “In most cases of theft, there was little concern about information compromise as it was more likely the thief valued the device more than what was stored on it. Not so in 2015. Hackers knew exactly what they were after as they pilfered health information and/or other personal data for nefarious purposes such as medical ID theft and fraud.”
Over 88 percent of all records breached in 2015 came as a result of the top three incidents, at Anthem, Premera Blue Cross and Excellus — and 78 million of the records breached in 2015 came from the single largest incident, the Anthem breach, which was also the largest healthcare breach in history.
“Securing the healthcare environment should now be a part of every health organization’s strategic plan,” Berger wrote. “Embracing IT security in its full definition — confidentiality, integrity and availability — is in alignment with other strategic goals such as improved patient care delivery and better patient outcomes.”
Earlier this week, the Washington State Health Care Authority (HCA) announced that an HCA employee had improperly used more than 91,000 Apple Health (Medicaid) clients’ personal identification information and private health information, including names, addresses, Social Security numbers, birthdates, Apple Health ID numbers, medical procedure information and medical diagnosis information.
Between November 15, 2013 and December 24, 2015, the HCA employee forwarded spreadsheets containing the clients’ data to another state employee, though both the HCA employee and the recipient claim they did so only because the HCA employee needed technical assistance with the files.
Both employees have been fired.
“Our first and foremost priority is protecting our clients’ personal information,” HCA risk manager Steve Dotson said in a statement [PDF]. “We have taken swift action to address this issue and help prevent future incidents.”
“While we have no indication that the client files went beyond the two individuals involved, important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” Dotson added.
All those affected are being offered one free year of membership in Experian’s ProtectMyID Alert service.
Last fall, a Clearswift survey of 500 IT decision makers and 4,000 employees in the U.S., U.K., Germany and Australia found that 40 percent of companies expect to experience a data breach resulting from employee behavior in the coming year.