Protenus and Databreaches.net published the 2016 healthcare data breach report in January, showing there were more than 27 million healthcare records stolen last year, according to HIPAA Journal.
Here are eight things to know:
1. In 2016, there were 450 reported data breaches among patients and health plan members. There were fewer records breached last year than in 2015, but the number of incidence is on the rise, as 2016 was the worst year for healthcare industry data breaches in recorded history.
2. There were 10 million healthcare records stolen in June 2016 and 9 million in August, the two months with the most records breached last year. The worst month for data breaches was November, when there were 58 data breaches. January had the fewest breaches with 21 incidences and 104,056 people impacted.
3. The largest data breach last year was at Phoenix-based Banner Health with 3.62 million records exposed.
4. Nearly half — 43 percent — of the breaches last year involved organization insiders, up from 26.8 percent in 2015. Ninety-nine data breaches were accidental and 91 breeches were caused by insider wrongdoing. On average, the insider wrongdoing data breaches resulted in fewer records stolen than the accidental data breaches, which exposed three times as many records.
5. There were 30 recorded ransomware attacks in 2016, but the true number could be higher as healthcare organizations only need to report ransomeware attacks if there was probability that ePHI was compromised, according to the report, and the covered entities have 60 days to report.
6. There were more attempts to extort healthcare organizations after hackers gained access to healthcare data, where hackers demanded a ransom to not publish the data. There were 120 hacking incidences last year, and records were stolen in 99 of those attacks. Hackers obtained access to nearly 23.7 million records.
7. Healthcare providers were the victims in 80 percent of the total breaches; health plans accounted for 10 percent of the attacks and healthcare business associates were targeted in 6.3 percent of the attacks.
8. It took 233 days on average for organizations to detect breaches, with insider wrongdoing cases taking an average of 607 days to detect. The average time from breach detection to HHS reporting was 344 days.