A new report from DataBreaches.net and Protenus found at least 30 percent of all breaches reported to HHS' public breach tool can be traced back to business associates and third party vendors.
To create the report, titled "Third-Party Breaches in 2016 Pose Alarming Risk to Patient Data," DataBreaches.net amassed a list of healthcare breaches involving vendors or business associates. All the breaches occurred between Jan. 1, 2016 and Aug. 31, 2016 and were either reported to HHS or appeared in the media. DataBreaches.net's compilation included more than 60 incidents.
Here are three things to know about the report.
1. Between Jan. 1, 2016 and Aug. 31, 2016, approximately 30 percent of incidents on HHS' public breach tool involved a business associate or vendor. Using HHS' tool, DataBreaches.net initially found only 14 out of the 193 incidents — 7 percent — between January and August were coded as "business associate" for "covered entity type." But after recording the entries to incorporate information available from other sources, 57 out of the 193 incidents — 30 percent — involved a business associate or vendor.
2. Approximately 35 percent of breached records were caused by third party breaches. Based on an analysis of HHS' tool, breaches due to third party vendors were associated with 27 percent more affected patients per incident than breaches originating at providers or health plans.
3. Third party vendor breaches came from both insider threats and external threats. DataBreaches.net and Protenus noted the number of third party incidents involving insider threats was almost identical to the number of third party incidents involving external threats.
Click here to view the full report, as well as DataBreaches.net's compilation of healthcare breaches involving third party vendors.