Healthcare Data Breach Report Shows Breaches Are Taking Years to Detect

The latest healthcare data breach report issued by Protenus, in conjunction with, shows healthcare data breaches increased in May, with 37 breaches reported compared to 34 the previous month.  The numbers of records exposed in those breaches was 255,108, although not all breach figures are known. That still represents a jump from last month when 232,060 healthcare records were known to have been exposed or stolen.

One of the breaches reported in May involved the theft of 140,000 records. That was a hacking incident which involved data being stolen and a ransom demand being issued. The ransom was not paid and the records were dumped online.

Hacking was the leading cause of healthcare data breaches in April, but in May it was insiders once again that caused the most breaches. Insiders accounted for 40.54% of the breaches reported in May. Five of those incidents involved insider wrong doing and 10 involved insider error. Hacking was in second place, being the cause of 35.14% of breaches, with loss/theft in third place with 13.51% of incidents.

Hacking was top of the list in terms of the number of records exposed/stolen. At least 203,394 patient health records were exposed or stolen by hackers. There were at least 3 ransomware incidents in May and possibly more.

Healthcare providers experienced 81% of the breaches, followed by business associates/vendors (11%) and health plans (8%). California was worst affected with 6 reported breaches, followed Florida (5), Texas (4) and Washington and Missouri which both had three breaches.

The healthcare data breach report shows that the time between detecting data breaches and reporting those incidents has improved again, with 83% of HIPAA-covered entities reporting the breaches within the 60-day window allowed by HIPAA Rules. One covered entity took 77 days to report a breach, one took 140 days and all others reported within 60 days. It took an average of 59 days for healthcare organizations to report breaches.

The average time between the breach and detection jumped to 441 days, a considerable increase from April when the average time to detect a breach was 59 days. Two covered entities took more than 3 years to discover a breach had occurred, with a further covered entity taking almost three years.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of