U.S. Healthcare Sector Plagued by Cyber Breaches Caused by Human Error: Beazley

Whether it is an email sent to the wrong recipient, discharge instructions given to the wrong patient, or a server containing protected health information (PHI) accidentally left open to the public, healthcare entities continue to struggle with data breaches caused by human error on a regular basis, specialty insurer Beazley said in its updated data breach report.

In the first nine months of 2017, unintended disclosure accounted for 41 percent of data breach incidents reported to Beazley by healthcare organizations and the trend shows no signs of abating.

“All organizations face the reality that data breaches have become inevitable. And the stakes are high: they hold personal data on trust for customers, employees and patients. The volume of protected health information maintained by healthcare organizations and the digitization of electronic health records have increased the vulnerability for large breaches,” said Katherine Keefe, global head of Breach Breach Response Services for Beazley, said. “It is important to understand the underlying causes so as to mitigate and manage them effectively.”

The high level of unintended disclosure incidents remains more than double that of the second most frequent cause of loss, hack or malware (19 percent).

Healthcare insureds have also reported more insider incidents thus far in 2017; they are now at 15 percent of incidents. These typically involve an employee “snooping” into patient records without a work-related reason to do so.

Beazley’s report also examines the marked increase in the number of Department of Health and Human Services Office for Civil Rights enforcement activities and settlements in recent years. These probes are triggered when a breach involves more than 500 patients. The settlement amounts averaged $1.8 million in 2016-17, up from $1 million in 2014-15.