Protenus has released its Q3 report on breaches involving health data. As explained in their methodology, since its inception in 2016, Protenus reports have not confined themselves to just using data from HHS’s public breach tool (“The Wall of Shame”). Instead, the Protenus reports, using data compiled by DataBreaches.net, include data from incidents also involving non-HIPAA entities such as schools, businesses, and other entities. The Protenus data is also coded differently than the system HHS uses, because HHS’s “unauthorized access/disclosure” checkbox could be used to report an external hack or a rogue insider stealing data, or some other type of incident.
For Q3, Protenus reports that their analyses are based on 117 incidents, compared to 110 incidents for Q1 and 142 incidents for Q2. But while the number of incidents decreased from Q2 to Q3, the number of breached records increased from 1.1 million in Q1 to 3.1 million in Q2 to 4.4 million in Q3.
In a parallel trend, the number of breached records due to insider (employee) wrong-doing has also been increasing quarter over quarter in 2018. For Q1, this subset accounted for 4,597 breached patient records, while in Q2, there were 70,562 affected records, and in Q3 there were 290,689 breached records.
That said, it is important to remember that while insider incidents (including both innocent errors by employees or vendors as well as malicious wrongdoing) account for approximately one-fourth to one-third of all incidents, they generally account for approximately 20% of breached records, with hacks (including phishing, email attacks, etc.) accounting for the vast majority of breached records.
Anyone expecting a linear trend across and within quarters, however, will be disappointed, as some numbers dropped month over month from July to September, even though quarterly totals increased.
The Protenus & DataBreaches.net report contains a number of stats from the quarter and previous quarter. You can obtain your free copy of the report by requesting it from Protenus.