DataBreaches.net has reported on a number of breaches in the healthcare sector this year that involved third parties, so I thought that I’d try to compile them to see how 2016 was shaping up. The resulting chronology, available in a new report co-authored with Protenus, Inc., includes more than 60 incidents involving business associates or vendors.
Highlights of the data analyses included:
- 30% of breaches reported on HHS’s public breach tool (“Wall of Shame”) involve third parties, although you can’t really tell that from the public-facing tool;
- 35% of breached records – approximately 4.5 million records – were due to breaches involving third parties;
- For the first eight months of the year, insider breaches and external breaches were equally frequent for third parties; and
- Incidents involving third parties resulted in 27% more breached records per incident than incidents that did not involve a third party.
Overall, the take-home message is clear: third-party breaches account for a significant percentage of breaches in the healthcare sector, and they account for a disproportionate percentage of breached records.
In our special report on third-party breaches,also include some specific suggestions for covered entities to consider when negotiating Business Associate Agreements or dealing with vendors not covered by BAAs. But as Robert Lord, CEO of Protenus, notes, ”improving protection of patient data in the EHR is not a single project or checklist. It should be an on-going, living process that strives for continuous improvement.“
You can request your free copy of the report here.