Protenus LLC has released its seventh annual Breach Barometer report. Unlike other analyses that seem to rely solely on reports to the U.S. Department of Health and Human Services, the Breach Barometer uses a broader lens and includes reports from non-HIPAA entities that involved medical data or health insurance information on employees or patients.
There are other important methodological differences between the Breach Barometer and other analyses for the healthcare sector that warrant mention before turning to the findings. One is that HHS’s public breach tool for incidents larger than 500 patients should be viewed as the number of reports submitted between January 1 of the year and December 31 of the year. In a number of cases, there may be numerous reports all stemming from one incident. Thus, the number of reports submitted to HHS does not represent the number of new incidents reported to HHS during the year.
For 2022, DataBreaches.net, in collaboration with Protenus, compiled 1,138 reports from 956 unique incidents. Compared to 2021, that represents an 8% increase in the number of reports and a 6% increase in the number of unique incidents. There was also a 6% increase in the number of incidents for which we had any numbers, however partial they might be. Given the relatively small increase year over year, it is noteworthy that there was an 18% increase in the number of breached records from 2021 to 2022.
Consistent with trends noted in previous Barometer reports, hacking accounted for 75% of all reported new incidents and 86% of all reported breached records.
While on paper it appeared that ransomware payments were trending downward as more organizations did not pay, it does not mean the number of attacks are waning. According to Rebecca Moody, head of data research at cybersecurity research firm Comparitech, “accurately gauging ransomware attack trends continues to be complicated by the fact that so many incidents never publicly come to light.” In 2022, we observed a shift in how covered entities or victims reported ransomware attacks. As these attacks are increasingly called a “security incident” or “cyberattack”, public disclosures therefore do not give us a real sense of how many ransomware attacks there were against healthcare entities last year, in how many cases PHI was encrypted and/or services were disrupted, and in how many cases entities paid ransom.
Lack of information in government-mandated breach notifications appears to be a problematic nationwide trend — two-thirds of all data breach notices in 2022 didn’t disclose enough details on causes and potential risk to help victims better protect themselves, according to an annual data breach report released by the Identity Theft Resource Center, a non-profit organization focusing on identity crime. Says IDTRC CEO Eva Velasquez, “The result of these trends is less reliable data that impairs the ability of individuals, businesses and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one.”
ITRC’s point that individuals are less able to make informed decisions about what actions to take in the aftermath of a breach is a point DataBreaches has made repeatedly over the past few years: entities that do not disclose to those affected that their data has actually been dumped or leaked on the internet are often intentionally withholding critical information that might influence victims’ actions in response to a breach. In too many cases, the only information victims may get that their personal and sensitive information has actually been leaked publicly comes from reports by DataBreaches or other media and news outlets.
DataBreaches continues to urge regulators and legislators to enact and enforce legislation that requires greater transparency by breached entities.
Since Protenus’s first Breach Barometer, Protenus and DataBreaches have continued to urge covered entities to pay greater attention to the security of their business associates. The 2023 Barometer reports:
The number of breached records involving a Business Associate (BA) or third-party jumped nearly 30% year over year to 29,478,169. BAs were involved in 188 of reported incidents in 2022 — approximately 20% of all new and unique breaches reported for the year (Figure 11).
Source: 2023 Breach Barometer, Protenus LLC.
BA-related incidents accounted for 49% of all breached records for the year, up from 42% in 2021. Of the breaches involving BAs, the majority — 134 incidents, or 71% — were a result of hacking.
Protenus’s 2023 Breach Barometer also contains statistics on insider breaches. Some involve human errors like mailing errors or misconfigurations. Others involved wrongdoing by employees or employees of business associates.
Insider incidents continue to account for more than 10% of all incidents reported in the year. The number of breached records due to insider error increased 141% from 2021. That number is likely to skyrocket even more in 2023 when we start getting reports from even more entities that did not realize they were transmitting protected health information to analytics firms like Meta. As the Barometer reports:
After the problem was first revealed by a study reported by The Markup, covered entities and Business Associates began to report how many patients may have had their PHI transmitted to Meta or other entities that should not have received PHI. Protenus and DataBreaches have coded these reports as “Insider Error” incidents on the premise that there was no intention to be disclosing PHI via trackers. We expect that there will also be significant reports of this kind in 2023.
Other statistics and patterns included in the 2023 Barometer address the gap between a breach and discovery and from breach to disclosure. There are also state frequency data.
