Protenus just released the November healthcare data breach report and it revealed a decrease in the number of reported healthcare data breaches and the number of patient records exposed for this month. November only had 28 data breaches reported – the lowest per month this year. The previous best month was February with 32 reported data breaches. Since September, reported breaches have fallen from 46 to 37 in October and 28 in November.
November also had the least number of records exposed this year. Only 83,925 patients were impacted by data breaches. The lowest month before this report was May with 138,957 records exposed.
Even if it appears that November’s breach report offered some good news, it should be noted that healthcare organizations have 60 days maximum to report breaches. So it is possible that not all incidents have been reported yet. Also, only 25 of the 28 breaches have the number of impacted individuals submitted. Protenus’ Director of Public Relations noted that perhaps people wanted to be ready for Thanksgiving and simply delayed the submission of reports.
The details of the healthcare data breach report show that there were more insider breaches than hacking incidents – 9 to 8. The loss or theft of records and portable devices with ePHI comprised 25% of breaches. Seven were paper records. The highest number of exposed records, which is 36,804 was from hacking incidents. Next was the 36,447 records from insider incidents. 5,324 exposed records were from loss or theft of physical records and devices with unencrypted ePHI.
As usual, most of the breaches (82.1%) involved healthcare providers, 10.7% involved health plans and 3.6% involved business associates of HIPAA-covered entities. The average time it took to discover a breach was 55 days, with a median of 33 days. The average time of reporting breaches to HHS was 61 days, with a median of 57 days. The last figures indicate that healthcare organizations are taking too long to report breaches. There shouldn’t be unnecessary delays when reporting breaches. With respect to delayed breach notifications, three covered entities had received financial penalty. One entity actually took 134 days to send notifications.
The state with the most number of reported breaches is usually California, but this time it is Kentucky with 3 breaches. States with two reported breaches were California, Colorado, Florida, Indiana, Massachusetts and Texas.