Protenus, a healthcare compliance analytics company that offers privacy monitoring and drug diversion surveillance technology, has become a reliable source for healthcare and privacy professionals. Since 2016, Protenus has published an annual report, the “Breach Barometer,” that analyzes data breaches in the healthcare industry. Setting itself apart, the Breach Barometer’s report considers data from traditional sources, such as the U.S. Department of Health and Human Services, but also “includes proprietary, non-publicly available data on the status of health data breaches across the country.” Protenus recently released its 2022 Breach Barometer report, which includes data compiled and analyzed by DataBreaches.net and Protenus.

At the outset, according to DataBreaches.net, “this year’s figures, while significantly higher than last year’s, are undoubtedly significantly underestimating the actual number of both reports and breaches because some data sources that we had for the 2021 report were not available in time for the 2022 report.” Despite not having all data sources as in the past, the 2022 Breach Barometer report is telling.

Protenus identifies three key findings. First, over 50 million patient records were affected by healthcare data breaches (a 24% increase from 2020). Second, there were approximately 905 data breach incidents in 2021. This equates to over 2 breaches per day and a 19% increase from 2020 (up from 758 unique incidents reported in 2020). Finally, there was a 44% increase in hacking incidents compared to 2020. Regarding hacking incidents, companies should note that Protenus and DataBreaches.net “are aware that many of the incidents that get coded as ‘hacks’ actually begin with employees falling for phishing attacks or making some other error that allows threat actors to gain initial access,” according to DataBreaches.net.

Beyond Protenus’ three key findings, the 2022 Breach Barometer report (and prior year reports) reflect other notable findings. For example, hacking incidents have increased for six consecutive years and continue to have a significant impact; 75% of 2021 breaches were due to hacks and resulted in over 43.7 million records being exposed or stolen. According to Protenus, the largest hacking incident in 2021 resulted from an IT Business Associate of a children’s health plan failing to address website vulnerabilities resulting in hackers gaining access to millions of records. While not named by Protenus, the health plan referenced is likely Florida Healthy Kids Corporation. Protenus explained that the incident affected as many as 3,500,000 individuals who applied for health insurance between 2013 and December 2020.

There were positive findings. The breach discovery time decreased significantly, approximately 30% year-over-year to 132 days. Despite the decrease in breach discovery time, the 2022 Data Breach report identified an increase in reporting time. The average time to report a data breach increased from 85 days in 2020 to 118 days in 2021. The 2021 median time was 62 days – 2 days beyond the HIPAA Breach Notification Rule requirement. Also, there were 111 insider breaches, which is a 26% reduction from 2020. It should be noted, however, that 2020 saw an unusual spike in insider incidents – which could be COVID-19 related. And the 2021 insider breaches (111) are relatively on par with the 110 insider incidents in 2019. Despite the unusual 2020 spike, there has

been a general decrease in insider incidents since Protenus published its Breach Barometer reports in 2016, though some insider incidents may be classified as hacks as DataBreaches.net noted. Chilivis Grubman attorneys recently discussed OCR Director Lisa Pino’s blog post titled “Improving the Cybersecurity Posture of Healthcare in 2022,” and cautioned covered entities and business associates to heed Director Pino’s warnings and take meaningful steps to reduce the likelihood of a cyber event occurring and the impact of such an event. The Breach Barometer report further shows the unfortunate reality that data breaches are not declining. Companies should take meaningful and intentional action.

§ To download the 2022 Breach Barometer report, or for more information, please visit: https://www.protenus.com/resources/2022-breach-barometer.

§ To obtain information from Datebreaches.net related to the 2022 Breach Barometer report, please visit: https://www.databreaches.net/protenus-releases-the-2022-breach-barometer-report-on-health-data-breaches-more-than-50-million-affected

The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.