Data Breach Risks Continue in the Health Care Industry
More than 3 million patient records were impacted by a data breach in the second quarter.
8/13/2018 8:00 AM
Data breaches in health care are becoming “routine” with millions of patient records affected in the second quarter this year, according to the quarterly Breach Barometer report from Protenus, a data analytics firm specializing in patient privacy.
From April to June 2018, there were 143 data breach incidents reported to the U.S. Department of Health and Human Services (HHS) or the media. Details provided for 116 of the 143 incidents show they impacted more than 3.1 million patient records, according to the Protenus report.
This is almost triple the patient records impacted in the first quarter (1.13 million.)
Protenus also finds that 29.71 percent of privacy violations resulting in a data breach were repeat offenses.
“On average, if an individual health care employee breaches patient privacy once, there is a greater than 30 percent chance that they will do so again in three month’s time, and a greater than 66 percent change they will do so again in a year’s time. In other words, even minor privacy violations that are not promptly detected and mitigated have the potential to compound risk over time,” according to the report.
Investigators also have a difficult time keeping up with the volume of “insider threats” when it comes to patient data. In fact, due to the volume of electronic access to health care data at hospitals and other providers on a daily basis, one investigator monitors an average of nearly 4,000 employees.
The average number of employees with privacy violations increased from 5.08 per 1,000 in the first quarter to 9.21 in the second quarter.
Whether inadvertent or intentional, these internal violations are a big risk to patients’ privacy. And, employees in the health care industry are often looking for information on people they know when they commit a violation.
Approximately 71 percent of insider-related breaches in the second quarter included employees accessing records on their family members, according to the Protenus report.
Outside of internal risks, hacking continues to lead to data breaches. Hacking incidents nearly doubled in the second quarter with 52 reported between June and April.
Health care providers and their business associates, including third-party debt collectors, need to know the privacy rules and take care when accessing patient data, whether medical or financial, to avoid violation of the Health Insurance Portability and Accountability Act (HIPAA.)
Twenty six incidents reported in the second quarter involved business associates or third-party vendors working with health care providers, affecting nearly 800,000 patient records, Protenus reports.
As data security risks in health care increase, consumers are increasingly anxious about their privacy as well. A recent survey shows almost half of U.S. adults participating are “extremely or very concerned about their health care data security, such as diagnoses, health history and test results,” according to healthsecurity.com.
So what can providers and their business associates do to get ahead of data security risks and protect their systems, patients and consumers?
Protenus reports best practices are critical for organizations that allow an audit of every employee’s access to patient data. “Full visibility into how their data [are] being accessed and used will help organizations secure patient trust while preventing data breaches from having costly consequences for their organization.”
Learn more on how to stay on top of data security regulations that apply to your business and clients in ACA International’s upcoming CORE Curriculum Seminar: Data Security and Privacy Sept. 5-6 with Leslie Bender, IFCCE, chief strategy officer and general counsel at BCA Financial Services Inc.
Bender will present how to:
- Implement effective policies and procedures
- Notify consumers in the event of a data security breach
- Explore essential safeguards and strategies to develop a Data Security Compliance Program
Read the complete Breach Barometer report from Protenus.
Follow ACA International on Twitter @ACAIntl and @acacollector, Facebook and request to join our LinkedIn group for news and event updates. ACA International members are welcome to submit news items for possible publication to firstname.lastname@example.org. Visit our publications page for news submission guidelines and subscriptions to ACA Daily, Collector magazine and Pulse.
Advertising is available for companies wishing to promote their products or services. Be sure to visit the ACA Events Calendar on the Education and Training page to view our listing of upcoming CORE Curriculum and Hot Topic seminars featuring critical educational opportunities for your company.