Protenus: Improvement Seen in Reporting Data Breaches to HHS

May 23, 2017
Over the past few months, healthcare organizations are taking less time to report their data breaches to the U.S. Department of Health and Human Services (HHS).

Over the past few months, healthcare organizations are taking less time to report their data breaches to the U.S. Department of Health and Human Services (HHS), which could be in response to the federal agency now fining organizations for not reporting health data breaches within the required 60-day window.

The findings were the latest from latest Protenus, which constructs a “Breach Barometer” report each month. Indeed, April is the second straight month in which there seems to be noticeable improvement in the time it takes for healthcare organizations to report their breaches to HHS.

Last month, 66 percent of entities reported their health data breach to HHS within the required 60-day window; previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in April for which there is data, it took an average of 51 days for healthcare organizations to discover a breach had occurred.  It also took an additional average of 59 days from the time the breach was discovered to when it was reported to HHS.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by

What’s more, the April report found that 2017 seems to be on a steady course when it comes to the number of breach incidents and number of patient records affected each month.  March totals were significantly higher than April’s totals, mostly due to a single large breach incident in March.  There were 34 separate breach incidents in April, affecting 232,060 patient records.  The 39 incidents in March affected 1,519,521 patient records.

Meanwhile, insiders were responsible for 29 percent of April’s total breach incidents (10 incidents).  Protenus has numbers for eight incidents, affecting 9,251 patient records.  Five of the reported insider incidents were the result of insider-error, affecting 7,037 patient records, and four of the reported incidents were the result of insider-wrongdoing. The report’s authors noted, “While hacking receives significant press coverage, it’s the malicious bad actors that stem from inside healthcare organizations that can cause the most destruction.  This is due to the simple fact that they often go undetected because they have legitimate access to patient data and aren’t the immediately obvious ‘red flag.’”

Once again, hacking accounted for a significant percentage of records and incidents (16 incidents accounted for 47 percent of the total breaches). For the reported hacking incidents for which there are numbers, 171,268 patient records were affected.  There were five incidents in which ransomware was specifically mentioned as the cause of the health data breach, though the authors noted that other breaches might have included ransomware too, but reports for those were unclear.

The report mentioned that in early April, one of the worst cybersecurity incidents of the year occurred in which patient data was stolen from a behavioral health center in Maine and sold to an unknown third party. This incident did not get major national attention many others do, and as the report stated, “It seems that in 2017 the threat has elevated for breaches of this caliber, and entities now have to worry about their patient data being listed for sale on the Dark Web before they even know a breach has occurred.  In 2016, hackers like TheDarkOverlord were giving entities a heads up that their data would be sold if demands were not met. This year, we’ve seen data for sale before any warning or alerts were given to the entity.”

Sponsored Recommendations

A Comprehensive Workplace Safety Checklist

This checklist is designed for healthcare facilities focused on increasing workplace safety. It’s meant to inspire ideas, strengthen safety plans, and encourage joint commission...

Healthcare Rankings Report

Adapting in Healthcare: Key Insights and Strategies from Leading Systems As healthcare marketers navigate changes in a volatile industry, they know one thing is certain: we've...

Healthcare Reputation Industry Trends

Navigating the Tipping Point: Strategies for Reputation Management in a Volatile Healthcare Environment As healthcare marketers navigate changes in a volatile industry, they can...

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...