Dutch hospitals reported 304 separate incidents of patient data loss since January 1. According to the Authority for Personal Data (AP), the hospitals rarely encrypted the data. They also reported that the majority of the data loss occurred due to human error.
Many data losses occurred after employees misplaced essential USB drives and other storage mediums. For example, a doctor from Antoni van Leeuwenhoekziekenhuis lost a hard drive with 800 patient records. Hackers have also accessed electronic healthcare records (EHR) through compromised email addresses.
Women in Cyber Security (WICS), a network of women in the computer security industry, recently conducted research into how hospitals deal with security. Old, unused, and outdated credentials were constantly overlooked. This was also the case for the State Department, according to the most recent audit.
The AP reported 4,700 data breaches in 2016; and one quarter of the breaches came from the healthcare sector. Since January 1, all organizations were required to immediately alert proper authorities upon on a serious data breach.
“Details on the nature of the reports will not be given because of the potential traceability to individual hospitals,” a reporter said.
More than 300 different hospitals reported data loss this year. The AP spokesperson said hospitals were on high alert throughout the year. The privacy watchdog program created a “willingness to report.” That being said, EHR hacks have been at an all time high this year.
We previously reported an EHR hack by TheDarkOverLord where 9.3m records were stolen and listed on TheRealDeal marketplace. He commented in an encrypted chat:
It [the EHR dump] was retrieved using a 0day within the RDP protocol that gave direct access to this sensitive information. Contact was attempted with the victim organization. However, they declined to respond. The attempt was made with each of their board of director members. Why not just pay? Money makes it all go away and it is a modest cost compared to the total financial damage you will suffer if you do not pay to keep it from getting leaked.
A spokesperson from the Dutch Association of Hospitals spoke briefly on the topic:
The Dutch Association of Hospitals is not to say or some cause for concern. Because the obligation to report data breaches has only existed since the beginning of this year, the real number is unknown. Well, we have the idea that there is a high degree of alertness in hospitals. The willingness to report is large. So even if there is suspicion of a data breach, hospitals are required to report it.
The new watchdog program requires potential beaches to be reported within 72 hours. Unreported breaches can lead to fines of 820,000 euros.