Healthcare breaches drop, but ransomware attacks rise

that huge number is a marked decrease from the year before, mostly due to fewer large-scale healthcare breaches -- though there were still some of those, too -- according to new research from Protenus, a health IT privacy and security firm.

But in a notable development -- and deeply concerning to many in health IT -- ransomware and malware strikes on healthcare organizations intensified last year, doubling to 64 incidents reported to federal officials, compared with 2016.

The biggest healthcare breach reported in 2017 was at Med Center Health in Kentucky, where a former employee gained access to the billing information of nearly 700,000 patients in a series of hacking exploits, as reported by Med Center parent Commonwealth Health Corp. to the U.S. Department of Health and Human Services (HHS).

Indeed, the so-called insider threat -- when employees accidentally or maliciously gain inappropriate access to protected health information -- remained high, as it was a year earlier, and accounted for 37% of the overall number of healthcare breaches, according to the Protenus report, compiled with DataBreaches.net.

Insiders were behind 176 healthcare breaches in 2017, but only 70 were attributed to wrongdoing, while more than half were attributed to employee error. However, the malicious incursions resulted in the breach of 893,978 patient records, while the errors caused 785,281 records to be exposed. "Unfortunately, insider incidents continued to plague the healthcare industry in 2017," the report said.

Another of the report's negative findings was that healthcare organizations were slower to discover they had suffered a breach. Of 144 healthcare breaches examined by Protenus, it took an average of 308 days for organizations to find out they had been breached, compared with 233 days in 2016.

Yet healthcare organizations seemed to have made improvements in reporting health data breaches to HHS. They took an average of 73 days to report a breach after it was discovered, while in 2016, the average was 344 days. But even with this significant improvement, healthcare providers and other breached organizations failed on average to report breaches within the 60-day window required by law to avoid potential civil monetary penalties.