The number of health data breaches decreased for the second month in a row following a summer that saw a record number of breaches, according to the Protenus Breach Barometer.
Of the 35 data breaches in October, 40% were caused by hacking, malware or ransomware and affected 664,549 patient records. Four of the incidents specifically involve ransomware, and two involved ransom or extortion, but not ransomware.
The two hacking incidents that involved ransom demands were attributed to TheDarkOverLord, a hacker who previously posted nearly 10 million patient records for sale on the dark web market.
Healthcare providers reported 29 of the health data breach incidents and health plans reported two incidents. Business associates or vendors reported three health data breaches. Healthcare organizations should review the reporting rules and procedures in their business associate agreements to ensure that a breach is handled quickly and efficiently if one occurs.
October’s health data breaches brings the total for 2016 up to 305 reported incidents so far.
The price for medical records has dropped
The influx of stolen medical records appears to have a direct effect on the price of these records on the dark web market.
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT) said the price drop is due to “exceeding supply, stagnant demand and increased law enforcement attention” that makes it harder for cybercriminals to make money selling partial medical records.
A recent study conducted by ICIT and the cybersecurity firms Intel Security and Flashpoint found that the price for stolen medical records has dropped from $50 to $100 to about $20 to $40.
Despite the dip in breaches and the price drop, healthcare organizations should still take care to prevent future incidents by monitoring internal systems for unusual data transfers and implementing strong password policies on devices that store protected health information. It also remains to be seen how the decrease in health data breaches will affect the behavior of cybercriminals who target the healthcare industry.