Insider Data Breaches Continue to Afflict the Healthcare Business


Protenus has issued its February Healthcare Breach Barometer Report. The report contains healthcare data breaches informed to the Division of Health and Human Services’ Office for Civil Rights or revealed to the mass media in February 2018.

The statement, collected from data gathered from, shows at least 348,889 healthcare files were verified as breached in February, even though that figure will be substantially higher as the number of people disturbed by 11 breaches is not yet known. There were 39 safety breaches involving protected health information in February – a small rise from the 37 breaches informed in January, even though the number of files disclosed was down from January’s total of 473,807 files.

Insider breaches continue to create problems for healthcare suppliers with 16/39 incidents (41%) involving insiders. Those occurrences led to the exposure/theft of 51% of all files verified as having been stolen or exposed in February. Protenus notices that 94% of insider breaches were the consequence of mistakes by healthcare workers, with just one verified breach involving insider wrongdoing.

Hacking accounted for 33% of data breaches and resulted in the disclosure of 46% of the files disclosed in February, even though the number of people affected by five hacking incidents is not yet known. Out of the hacking/IT occurrences, four were verified as involving malware or ransomware, including the biggest breach of the month – the 135,000-record breach at St. Peter’s Surgery & Endoscopy Center in New York. There were two occurrences verified as involving phishing. Theft/loss occurrences accounted for 13% of all breaches and the reason of 13% of breaches is presently unknown.

Healthcare suppliers informed 23 breaches, health plans informed eight occurrences, business associates informed four occurrences, and companies/other sellers informed four breaches. The breach statements presented to the Office for Civil Rights suggest only two business associate breaches happened, even though the Protenus report has disclosed there were 11 occurrences with some business associate/seller involvement.

Protenus notices that it took an average of 325 days from the date of the breach to the occurrence being found with a median finding time of 34 days. The average was high because of one insider breach taking more than four years to find. The average time from detection to informing was 68 days with a median of 59 days. Six companies informed the breaches later than the 60-day maximum time frame permitted by HIPAA.

California was the worst impacted by healthcare data breaches in February with six occurrences followed by Wisconsin and Georgia on three. Healthcare data breaches were informed by companies in 22 states and Puerto Rico in February.

Protenus notices that although the number of people impacted by healthcare data breaches reduced to a four year low in 2017, the number of data breaches has not decreased. Healthcare data breaches are still happening at a rate of more than one per day.