Organizations informing data breaches faster to federal agencies

The Department of Health and Human Services’ OCR (Office for Civil Rights) is cracking down on providers that don’t report data breaches of protected health information in a basic timely manner. OCR in the month of March initiated to fine agencies that don’t notify federal agencies of breaches within sixty days as required. The effect has been dramatic—average reporting times for breaches were merely 45 days in the month of March and 59 in the month of April, compared with 478 days in February, in accordance to Protenus, a vendor that offers a cloud platform to monitor and secure the security of hospital electronic health records (EHRs).

“It is complex to know for sure with limited information, but we might recommend 2 reasons for this trend of reduced breach reporting time,” claims Robert Lord, co-founder and CEO at Protenus. “One potential reason is that initiating earlier this year, HHS has arguably stepped up enforcement on healthcare agencies that don’t report breaches within the required 60-day window. Organizations are informing data breaches faster to federal agencies.

“An extra potential reason is that healthcare agencies are becoming more diligent in their analysis and reporting of breaches, as awareness of the significance of reporting grows,” Lord continues. “While these tragedies are unfortunate, they can be utilized as a learning experience to educate other covered entities on best practices.”

The number of days between when a breach occurred and when it was discovered in the month of April ranged from almost instantly to 228 days. Organizations are informing data breaches faster to federal agencies.

In April, 16 hacking tragedies accounted for 47% of all breaches. Additionally, another 29% were caused by insiders; 15% involved lost or stolen information and 9% by unknown means. The total number of records breached in the April attacks for which Protenus has numbers includes 171,268 patients.

The kinds of breaches reported last month involve providers (79% of all incidents), health insurers (5.8%), business associates or vendors (5.8%) and other (8.8%). Data from the monthly Protenus Breach Barometer report comes from DataBreaches.net.