November of 2016 saw the largest number of data breach incidents

2016 was a big year for changes.

From Brexit and Trump, to a wave of celebrity legends departing our lives, 2016 was one heck of a bumpy road; and we saw some of the most notable data breaches in history around the world. With the online world ever advancing, we can’t seem to keep up. Cyber hackers have been constantly coming up with new methods to break down security walls to wreak havoc and fear, and leaks are almost becoming a norm.

In the US, the month of November wears the year’s dunce hat in terms of data breach incidents. A total of 57 incidents were reported to the Department of Health and Human Services. A report by Protenus, a security company that monitors users’ electronic health records at healthcare institutions, claimed that 57 data breaches allowed over 458,000 records to be stolen. However, June held the title for most individual stolen records with a total number of 11,061,649 records.

The largest single incident led to 170,000 patient records to be exposed in one go. According to Protenus, this was a result of an associate’s insider error. 31 incidents were because of insider error or wrongdoing, whereas only 9 were due to hacking.

Ambucor Health Solution, a clinical labour services provider, was responsible for 11 separate incidents out of the 57. In one of the incidents, a former employee had inappropriately and illegally downloaded 2,500 patient files / personal information. Other incidents involved more inappropriate file downloading and accessing, stolen laptops, and stolen or lost USB sticks.

It looks like Ambucor Health Solution are desperate to find their data breach solution!

What was really alarming was the time it took for an entity to report a breach after first noticing it. In the US, there is a 60 day window to report a data breach. Of the entities within the Protenus report, 65% took longer than 60 days.

The overall average reaction time was 135 days. That’s around 4 months to report a breach!

“It goes without saying that it is essential for organizations to be proactive when monitoring patient data. The sooner a breach is detected, the quicker the healthcare organization can mitigate the risk of significant damage being done with their patient’s data” – Protenus

It’s truly baffling that some companies can have the audacity to leave their consumers’ personal information exposed for so long. Imagine living in a block of flats and coming home one day from a holiday to find that the cleaner left your door unlocked. Now imagine if the company managing the entire block of flats knew about it but didn’t report it to the appropriate authorities for months whilst you were away!

Sadly, it seems some companies don’t value their consumers’ personal information enough to comply with data protection laws. Companies and organisations have a legal obligation to protect all personal information that they have access to. They should only use it appropriately and in a safe manner. If they have to store it, they need to do it in a secure way to make sure it can’t be illegally accessed or misused. Entities can’t just dump people’s information in a box on a shelf and leave it there for when they next need it, they need to keep checking that it hasn’t been tampered with or removed without authorisation.

Two former employees were fined by the ICO for misusing personal information

Hundreds of NHS patients may have suffered serious harm from 500,000 data breaches