Healthcare Data Breaches in September Saw Almost 500K Records Exposed

by | Oct 22, 2017

September 2017 saw a huge increase in the amount of healthcare data breaches, according to the recently released Breach Barometer report from Protenus which shows there was a serious rise increase. The Protenus report examines data violations made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) and attacks on privacy recorded by

Overall, Protenus/ recorded 46 healthcare data violations during in September. While the total number of people affected by the violatinos has not been confirmed, at least 499,144 healthcare records are thought to have been exposed or stolen. The overall amount of records exposed or obtained in four of the month’s breaches has yet to be released.

This significant increase in incidents results in September being the second worst month of 2017 for healthcare industry data breaches. Only June recorded higher figures, when 52 data breaches were reported to the relvant authorities.

The Protenus report confirms the most serious attack during September was a ransomware violation that saw the records of 128,000 individuals made inaccessible. It has not yet been made public if those records were accessed or stolen.

The main factors that resulted in healthcare data breaches during September were hacking (50%) and insider breaches (32.6%). The hacking total includes extortion attacks by TheDarkOverlord hacking group, ransomware attacks, and malware breaches. Hacking incidents made up 80% of breached records during September – 401,741 records – although figures for four of the attacks have not yet been made public. The hacking incidents during the month included one confirmed ransomware attacks, eight extortion dangers and seven phishing atempts.

The 15 insider incidents lead to the release of 73,926 private records. Those incidents included six insider mistakes and eight occurrences of insider wrong doing. Four theft incidents were submitted to the OCR which affected 17,295 patients.

The breaches happened at 31 healthcare providers, 6 health plans, 6 business associates of HIPAA-covered bodies, and 3 schools, with California the worst hit with 5 incidents reported.

While most healthcare groups identified discovered their data breaches within six weeks of them occurring – the average time for identification was 38 days – it took one healthcare provider 2108 days to discover that one of its staff had been improperly viewing medical records.

Most healthcare groups reported their violations inside the HIPAA Breach Notification Rule deadline of 60 days, although there were two exceptions to this. One healthcare group took 249 days to file its violation, risking incurring a significant HIPAA violation penalty.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy