How 3 hospital breaches went undetected for more than 3 years

Security firm’s discovery highlights why hospitals struggle to detect these lapses in security.
By Tom Sullivan
02:28 PM

Three healthcare information security incidents that happened more than 36 months ago were just discovered in May — highlighting the fact that hospitals continue struggling with breach detection. What’s more, the incidents were caused by employees.

“All three of these events were, unfortunately, due to insiders, two of which seemed to be bad actors who were accessing records over time, and one was attributable to insider error,” said Robert Lord, co-founder of security firm Protenus. “These types of events often get discovered by accident or during infrequent audits.”

[Also: Breaches like Molina Healthcare's show why you can't skimp on security]

Those weren’t the only breaches last month. The Protenus May Breach Barometer, compiled with DataBreaches.net, found 37 total incidents exposing a total of 255,108 patient records. That total, despite TheDarkOverLord posting some 140,000 patient records to the black market early in the month, was relatively similar to the number Protenus found in April and February, though the number of records exposed in March spiked upward of 1.5 million.

Protenus determined last month that healthcare organizations are getting better at breach reporting as it took 51 days to discover the incidents reported in April and 59 days to alert the U.S. Department of Health and Human about those.

Even still, the insider threat persists and, in May, comprised 40 percent of all total breaches. Protenus compiled statistics on 10 of the 15 insider incidents, five of which were the result of wrongdoing affecting 20,335 patient records; it’s worth noting that the five malicious insiders is the total and the aforementioned two bad actors refers specifically to the incidents that lasted more than 3 years.

“The damage associated with these events only grows over time,” Lord added. “This data, and recent OCR actions, suggest that the ‘we don't have the resources to do this now’ strategy of putting off this type of proactive work just isn't going to cut it in an environment where most threats come from insiders.”

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.