Health data breaches in Q3 2016 outpace first two quarters

Some 118 security incidents were either reported to the Department of Health and Human Services or first disclosed in the media in Q3 2016, compared with 89 in Q2 and 63 in Q1, a Protenus report finds.
By Bill Siwicki
07:03 AM
Health data breaches Protenus

More data breaches happened in the third quarter of 2016 than in the year’s first two quarters.

That’s according to the Protenus Breach Barometer, which found that 118 security incidents either reported to the Department of Health and Human Services or first disclosed in the media or other sources in the third quarter compared with 89 in the second quarter and 63 in the first quarter, according to the Protenus Breach Barometer, a monthly snapshot of reported or disclosed healthcare breaches with data compiled and provided by

[EHRs getting better? Readers rank vendors higher than last year in new survey]

For 37 data breaches in September, the number of patients affected was available for 32 and totaled 246,876 records, according to Protenus, a healthcare cybersecurity firm. While the first six months of 2016 averaged 25.3 breaches per month, the second half thus far has had an average of 39.3 incidents per month, a 55 percent increase. September’s largest single incident involved a ransomware hit that affected 58,000 records.

“While the overall number of breached records is down, the second half of 2016 is shaping up to be significantly worse than the first half when it comes to patient privacy breaches,” Protenus said. “September’s breach totals include several Olympic athletes after the World Anti-Doping Agency suffered a hacking incident apparently at the hands of Russian cyber-espionage group Tsar Team, also known as Fancy Bear. While (September’s) patient records breached total, 246,876, pales in comparison to this past summer’s total, 20 million, it’s important to re-emphasize the ever-evolving threats to patient data and the misfortune that can occur when this information lands in the wrong hands.”

Forty-one percent of healthcare data breaches in September were insider incidents, seven of which were accidental and eight were insider wrongdoing, according to the Protenus Breach Barometer. For the 13 insider incidents for which there are numbers, 50,695 records were involved.

32 percent of September breaches involved hacking, including ransomware and other malware, the barometer reported. Five of these breaches specifically mentioned ransomware. For the 10 hacking incidents for which there are numbers, 154,814 records were involved, Protenus said.

“While insider threats represented a greater proportion of incidents than hacking, it’s important to note that hacking accounted for substantially more of the breached records than insider events, as also mentioned in the August Breach Barometer,” Protenus said.

Thirty-three incidents reported or uncovered in September involved healthcare providers, followed by two incidents reported by health plans and one incident reported by a business associate or vendor, according to the barometer. 

 Learn more at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
​⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks

⇒ A CISO, consultant and infosec vendor nail down cybersecurity best practice lists
⇒  Think offshoring PHI is safe? You may not be covered if a business associate breaches data

Like Healthcare IT News on Facebook and LinkedIn