More than 50 million patients had their medical records breached in 2021, according to the latest edition of the Protenus Breach Barometer.

Published on March 10, the report says the healthcare industry has become more vulnerable to online attackers from continuous disruptions, with reported breaches rising from 758 in 2020 to 905 in 2021, a 19% difference.

The single largest incident was a hacking involving an IT business associate of a children’s health plan in Tallahassee, Florida. The attackers exploited vulnerabilities in the company’s website that had not yet been patched and stole information on as many as 3,500,000 individuals, including full names, dates of birth, email addresses, phone numbers, street addresses, social security numbers, financial and familial information and secondary insurance data.

The industry currently is struggling with supply costs, higher salaries and staffing shortages that have only been exacerbated by the pandemic. Additionally, retaining and satisfying employees has been a challenge, along with patient safety and organizational success. These factors are all weak spots that put them at risk of being exploited by bad actors, said Protenus CEO and co-founder Nick Culbertson.

"There's huge churn and critical staffing shortages in the healthcare industry right now, as it's still feeling the effects of the pandemic. Because there are so many new employees and travel nurses coming into hospitals and healthcare systems, there's a lack of understanding of organizations' compliance policies. Policy adherence is going to become increasingly difficult. It just underscores why there's such a need for a proactive privacy monitoring system to ensure policy adherence on an ongoing basis," he told HCB News.

He adds that in addition to sophisticated hackers, employees within a healthcare organization are also capable of exploiting patient information. Insider incidents account for more than one in 10 healthcare data breaches and can create opportunities for outsiders to access patient data as well. It may have been the reason why so many outsider hackings made up the majority of breaches in 2021.

The increase continues the trend seen in 2019, when breaches at healthcare organizations almost tripled the number in 2018, according to the same report back then. Breaches rose from 450 in 2016 to 572 in 2019. A total of 41 million patient records were hacked, compared to 15 million in 2018 — a 48.6% difference.

Additionally, close to 32 million were hacked in the first half of 2019 alone, which was more than double the number breached during that time in 2018.

Since 2016, at least one health data breach per day has been recorded. HHS data showed that 92% of combined small and large breaches in 2019 were tied to unauthorized access. This shows the need for providers to focus on prevention measures that can identify early warning signs of insider and outsider incidents before they escalate, says Culbertson. "One of the best tactics is education — new hire training on compliance policies, on-the-spot training when an employee makes their first mistake or violation, and recurring training to stay on top of any potential problems."

The report was based on findings compiled and analyzed by DataBreaches.net, with additional research and analyses provided by Protenus.

Health IT Homepage