Insider errors fuel rise in healthcare data breaches by business associates, says new research

March 1, 2017

Data breaches involving business associates working with healthcare organizations almost doubled in 2016 – thanks to a rise in cases involving errors and accidental leaks by employees.

New research by data loss prevention specialists Safetica USA reveals that business associates accounted for one-in-five of the 16 million confidential patient records that were compromised last year.

“Business associates” can be any company – including IT service providers – that manage or use confidential patient data as part of their service to healthcare organizations.

Safetica’s research also reveals that “unauthorized disclosure” – mistakes and misjudgements by staff – matched “theft” as the primary cause of breach by business associates for the first time.

Notable cases in 2016 include:

  • Financial, clinical and demographic data on 998 people was mailed incorrectly after a computer error and mismatch of addresses on envelopes in a mailing room.
  • Survey data including names and demographic information about 487 people was “misdirected” to the wrong recipients after a printer paper jam.

Luke Walling, General Manager of Safetica USA, said: “We all tend to think of data breaches as deliberate and malicious acts. But increasingly, they come from insider mistakes. In recent years, Business Associates have stepped up their efforts to protect their partners’ confidential data.  They also know that HIPAA compliance audits are on the agenda of the Department of Health and Human Services.”

“But our research suggests that deploying more effective data loss prevention measures could prevent the kind of avoidable, simple internal mistakes that result in major – and reportable – data breaches.”

Safetica’s research drew on a database of breaches maintained by the US Government’s Department of Health and Human Services – listing every case where 500 or more patient records were compromised since 2009.

Safetica’s researchers found:

  • 3.5 million confidential records were compromised by business associates last year – 21% of the total number of records breached in the healthcare sector.
  • The number of cases involving business associates rose from one a month in 2015 to closer to two per month (21) last year.
  • 38% of the 2016 business associate cases were caused by theft, 38% by unauthorized disclosure, 14% by hacking and 10% by loss of records or hardware. By comparison, in 2015 there were 42% were caused by theft, 25% by unauthorized disclosures, 16.5% through hacking incidents and 16.5% losses of records or hardware.
  • Despite the year-over-year rise, the number of cases involving business associates was still lower last year than the 2014 peak of 67 cases.

“As business associates accounted for 21% of compromised records last year – affecting 3.5 million people – you can be sure their clients and regulators will expect them to raise their game,” Walling added.

“But our research is only the visible tip of the data security iceberg. The HHS database only records major breaches affecting 500 people or more. There’s a hidden story of smaller data security lapses happening every month that are not disclosed in the database.”

“This is an issue facing every business associate working in healthcare – and everyone needs to take steps to reduce and remove the risk of a data breach.”

Categorized in:

Tags: , ,