Healthcare Data Breach Trends Revealed by Protenus

by | Aug 5, 2017

The Breach Barometer mid year reviews has been released by Protenus, in conjunction with This report covers all data privacy breaches reported in health care over the past 6 months. It provides valuable insights into 2017 data breach trends for the industry.

This is a comprehensive review of healthcare data breaches, including not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’ breach reporting methods, but also press reports of all incidents and public findings issued. All breaches are independently confirmed by before being included in the report, . The Breach Barometer reports investigate the main causes of data breaches reported by healthcare organizations, health plans and their business partners.

Protenus Co-Founder and president Robert Lord and Dissent of discussed the findings of the mid-year review in a webinar on Wednesday,

He said that from January and June 2017 there have been 233 reported data breaches. These breaches have affected 3,159,236 patients. The largest of these breaches in the first half of the year led to the theft of 697,800 records and was caused by a ‘rogue insider’ – one of 96 incidents involving insiders.

Out of those 96 incidents of a breach, 57 were due to insider mistake or error – 423,000 records – and 36 incidents due to insider wrongdoing –743,665 records. The remaining three breaches could not be classified in a specific section.

These insider incidents area are always likely to be far higher than the figures in the Breach Barometer report.

Mr Dissent explained that many incidents are not being made public or reported to HHS. One of the best examples being incorrectly-configured MongoDB databases. He explained that many health organizations have not reported that protected information has been exposed online, even though security researchers have discovered data could be accessed, without authentication, via the online means. When these incidents are officially reported, they are often reported to HHS as hacking incidents, even though the root cause is human mistake.

The first half of 2017 saw 75 hacking incidents and 29 ransomware incidents made public. As was explained, ransomware cases are similarly under reported, even though OCR has made it clear that ransomware attacks are officially reportable breaches. The true figure is likely to be much higher than that reported.

In the first six months of the year 41% of incidents caused by insiders, 32% due to online hacking, 18% due to loss/theft of records and devices and the cause of 9% of the breaches remains unknown.

Internet hacking may be the second largest cause of privacy breaches, but hacking has resulted in the exposure/theft of the most records. 1,684,904 records were exposed/stolen as a result of hacking, 1,166,674 records were exposed/stolen by insiders, 112,302 records exposed due to theft/loss and 178,420 records exposed in incidents with unidentifiable causes.

In 2016, roughly 2 million patients were affected by incidents caused by insiders. So far this year, 1.17 million individuals have already been impacted by these cases. Hacking incidents are also on the rise. Last year there were 120 confirmed hacking incidents for the 12 month period. This year there have already been 75 reported incidents of these cases.

In June this year, 52 healthcare data breaches were reported, the highest total for any month of the year to date by some distance. The second highest monthly breach total was 39 incidents. June also saw the third highest number of individuals impacted by the privacy breaches, with 729,930 records confirmed as exposed or stolen in the report.

Despite these figures there is some good news however. The time taken to report breaches to OCR has improved over the first half of the year. The mean time to report breaches is 54.5 days and the median 57 days. HIPAA allows 60 days to report data breaches and notify affected individuals. In June, both the mean and the median were under the maximum time frame allowed by the HIPAA Breach Notification Rule.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy