It’s that time again for year-in-review articles. On December 16, 2019,  Modern Healthcare has published an infographic that compares HIPAA breaches which occurred in 2019 to aggregate breach statistics from 2010-2018.  The 2019 data was analyzed through the end of November. A few interesting trends appear.  Let’s go to the numbers:

Breaches by Location:

In 2019, 40% of breaches involved email, compared to only 13% during 2010-2018.  This may suggest an increase in phishing and more sophisticated “spear-phishing” techniques.  Privacy officers should alert their organizations to be more vigilant about clicking links and opening emails from unverified sources, even where the emails look deceptively legitimate.

Network server breaches were up slightly, from 16% to 22%

Laptop-related breaches are down sharply, from 12% to only 3%, and desktop computer breaches are down from 6% to 3%.  This could mean more covered entities and business associates are using appropriate encryption, or may also reflect migration of data to the cloud instead of storing it on laptops and desktop computers.

Electronic medical record breaches are steady, declining slightly from 4% to 3%.

Breaches by Type:

Hacking/IT Incidents represented 57% of breaches in 2019, up sharply from 22% for the prior 8 years.  Coupled with the email breach increase, this trend would suggest infiltration or malware-related breaches that are accomplished by inattention to best practices, both in terms of recognizing and resisting phishing attempts and in failing to maintain up-to-date security measures.

Unauthorized access/disclosure remains steady, representing 30% for 2019 versus 28% for the prior 8 years.

Theft is down significantly, from 33% to only 7%.  Once again, like bank robbers go where the money is, hackers go where the data is, and that is increasingly in the cloud.

Improper disposal is a minor factor, only 1% in 2019, down from 3%.

Breaches by Month:

The report also tracked the average number of individuals affected per breach by month reported.  A significant spike occurred in July, 2019, representing the second-highest reported number of individuals affected by healthcare breaches since 2010.  This anomaly was attributed largely to a massive data breach at billing collections vendor American Medical Collection Agency that affected nearly 20 million individuals.

The wrap-up:

Statistics can be misleading, but if these trends continue, expect more issues involving email scams, malware that can infect systems via email and similar approaches, and unauthorized access, all of which focus on what is often the weakest link in any system – between the chair and the keyboard.