Safe & Sound with Marianne Kolbasuk McGee

Incident & Breach Response , Managed Detection & Response (MDR)

Health Data Breaches: Comparing UK, US Trends

Cyber Incidents Grow, But Low-Tech Breaches Still a Challenge
Health Data Breaches: Comparing UK, US Trends

I spend considerable time analyzing trends involving U.S. health data breaches. But a look at some of the United Kingdom's recent health data breach statistics shows some interesting similarities to the U.S., despite differences in the two countries' health systems and breach reporting practices.

See Also: 5 Requirements for Modern DLP

Low-tech incidents are still tripping up many entities in both countries. For example, mismailings - postal or email - of patient information are common issues. But breaches involving cyber incidents also are on the rise in both nations.

U.K. Snapshot

Statistics in a recent report from the U.K.'s Information Commissioner's Office show that in the third quarter of 2017, the U.K. saw a 22 percent increase in reported health data breaches of any size, compared with the second quarter. Data posted or faxed to the incorrect person, data sent by email to the incorrect recipient and loss or theft of paperwork were the three main breach types.

But while digging deeper into U.K. statistics ranging from January 2016 through December 2017, I noticed a striking jump in the number of health data breaches reported to the ICO that involved some sort of cyberattack. Those incidents, which grew from 24 in 2016 to 67 in 2017, included ransomware, phishing and distributed denial-of-service attacks, among others.

U.S. Trends

While U.S. healthcare providers still struggle with breaches involving lost or stolen unencrypted laptops as well as paper charts, health data breaches involving cyberattacks have also been climbing.

For instance, the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website of major breaches show that hacking was behind nine out of the 10 top U.S. health data breaches in 2017, and about 70 percent of the total number of individuals affected by all health data breaches during the year.

As of Feb. 15, the so-called "wall of shame" shows that in 2017, out of 359 major health data breaches reported and confirmed so far by HHS, 147 are listed as "hacking/IT incidents.

The trend in hacker incidents dominating the top spots on the federal health data breach tally started a couple of years ago, and it's likely to continue.

"I believe we will continue to see hacker incidents in the form of external cyberattacks such as phishing and ransomware," Kate Borten, president of privacy and security consulting firm The Marblehead Group recently told me (see Hacking Incident Dominate 2017 Health Data Breach Tally).

Reporting Duties

The ICO notes that in the U.K., breach reporting is mandatory in the health sector. This contributes to the sector having the highest number of reports compared with other sectors, the ICO writes.

But with enforcement of the European Union's General Data Protection Regulation coming in May, the ICO notes that entities across all sectors, "must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay."

So in future ICO reports, we could very well see signs of emerging U.K breach trends developing as new stricter, mandatory breach reporting under GDPR plays out.

A spokeswoman from the ICO tells me that health data breaches of any size are reflected in the commission's quarterly statistics. In the U.K., health data breaches are reported to the National Health System, and those statistics are passed along to the ICO, she says.

In the U.S., HHS requires that entities report health data breaches impacting 500 or more individuals within 60 days the discovery, and those incidents get posted by the HHS' Office for Civil Rights' wall of shame.

OCR also tracks smaller health data breaches, but the agency reports its statistics about those incidents annually to Congress. Those smaller incidents must be reported to HHS by entities within 60 days of the end of the calendar year in which the breach was discovered.

Mistakes and Mishaps

Despite the surge in cyberattacks involving health data in the U.K. - as well as in the U.S. - mistakes and mishaps by healthcare staff and others resulting in lost or stolen paper charts, laptops, and misdirected email or snail-mail, still remain big problems for both countries.

For instance, in the U.S. in 2017, the wall of shame shows that 69 major health data breaches involving lost, stolen or improperly disposed paper or film containing patient PHI.

All in all, the statistics show that healthcare entities in both countries still have many low-tech and high-tech challenges to tackle in the mission to protect patient data.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.