Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with www.databreaches.net, the summary of healthcare data breaches in 2017 continues where 2016 left off.
In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient and health plan members’ Personal Health Information (PHI).
The largest breach reported in January was by CoPilot Provider Support Services, which reported a data breach of 220,000 from a breach that occurred in October 2015.
The report noted that 40 percent of HIPAA covered entities that self-reported a data breach in January of 2017 reported it outside of the statutorily mandated “no later than 60 days” window for reporting under the HIPAA Breach Notification Rule. Hence the first payout by a health care provider (Presence Health) for a delayed breach notification [view post here]. The report notes that the average number of days for the OCR to receive notification was 174 days, and it took those organizations an average of 123.5 days to even discover the breach. The data breaches were reported by entities in 21 states.
The biggest culprit for the breaches? Insider incidents—both error and wrongdoing. Another reason to train and monitor employees.