83% of Breached Healthcare Records in January Due to Hacking

by | Mar 6, 2018

The most recent release of the Protenus Healthcare Breach Barometer report has been released. Protenus reports that in total, at least 473,807 patient records were accessed or stolen in January, although the number of people affected by 11 of the 37 breaches is not yet clear. The actual figure is likely to be much higher, possibly taking the final total to in excess of half a million records.

The report shows insiders are still causing issues problems for healthcare groups. Insiders were the single biggest factor causing of healthcare data violations in January. Out of the 37 healthcare data breaches registered in January 12 were caused by insiders – 32% of all data breaches.

While insiders were the main cause of violations, the incidents affected a relatively low number of peoples – just 1% of all records violated. Insiders exposed 6,805 patient records, although figures could only be found for 8 of the 12 breaches. 7 incidents were attributed to insider mistakes and five were due to internal misconduct.

Protenus has drawn attention to one particular insider breach it experienced. A nurse was found to have accessed the health information of 1,309 patients without permission over a period of 15 months. If the healthcare group had technology in place to monitor for inappropriate access, the privacy of hundreds of patients would not have been breached.

The second largest cause of healthcare data violations in January were hacking/IT incidents. There were 11 hacking/IT incidents reported by healthcare groups in January – 30% of all breaches. In contrast to insider incidents, these were not minuscule breaches. They were responsible for 83% of all breached records in January. One single hacking incident impacted 279,865 records. That’s 59% of all violated records in the month.

Overall, 393,766 healthcare records were affected by hacks and other IT incidents. The final figure could be much higher as figures for five of those breaches have not been calculated. One of the incidents involving an unknown amount of records was the ransomware attack on the EHR company Allscripts, which lead to some of its applications being unavailable for many days. That incident could well be the largest breach of the month.

Ransomware remains a major issue in healthcare, with six of the 11 incidents involving ransomware or malware. Phishing – the subject of February’s cybersecurity letter from the HHS’ Office for Civil Rights – was involved in a minimum of two breaches.

The loss or theft of electronic devices storing ePHI or physical records made up 22% of the breaches. Two incidents involving the loss of patient histories affected 10,590 people and four out of the six theft incidents affected 50,929 individuals. The number of individuals impacted by the other two theft incidents is not clear still. The cause of 16% of January’s data breaches has not yet been released.

The types of breached bodies followed a similar pattern to previous months, with healthcare suppliers accounting for the most breaches (84%). 5% of the breaches had some BA involvement and 3% affected health plans. 8% affected other bodies.

Information on the amount of time it took to identify breaches was only obtained for 11 of the 37 incidents. The median time from the incident to the date of detection was 34 days and the average was 252 days. The average was impacted by one incident that took 1445 days to identify.

The median time duration from discovery of a breach to reporting the incident was 59 days; one day short of the 60-day absolute limit of the Breach Notification Rule. The average was 96 days. Four healthcare groups took more than 60 days to report their breaches, with one taking over 800 days.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy