Healthcare Data Breaches Occurring at an Alarming Rate

Healthcare data breaches are increasing at the year goes on, according to the latest Breach Barometer report from Protenus. As if the breach tally for the first half of 2016 was not bad enough, the second half of the year has been even worse.

Protenus compiled a list of healthcare data breaches – with assistance provided by – from the first half of the year which showed an average of 25.3 healthcare data breaches occurred every month. However, between July and September, the average number of reported healthcare data breaches each month increased by 55% and now stands at 39.3 per month.

2016 is shaping up to be the worst year for healthcare data breaches to date, and while there is still the final quarter to go, there have already been 118 breaches of healthcare data in the second half of the year. In the first six months of 2016, 152 data breaches were reported. This, as Protenus points out in the breach report, is cause for alarm.

In the first quarter of 2016, healthcare organizations reported 63 breaches of protected health information. In quarter two, there were 89 reported breaches. Quarter three has seen 118 breaches reported. The breaches reported in September were all relatively small although 37 separate incidents were reported. The total number of health records breached in September was 246,876 according to the report.

The biggest cause of breaches reported in September were insider breaches, which accounted for 41% of all incidents and resulted in the theft or exposure of 50,695 healthcare records, although two incidents have been reported for which the total number of exposed or stolen records is not yet known.

The second largest cause of healthcare data breaches was hacking. Similarly, figures for two of the breaches have not yet been disclosed. The remaining ten breaches resulted in the theft or exposure of 154,814 records. Hacking continues to expose more records, even though more data breaches are caused by insiders.

The majority of breaches involved ePHI, although 19% of reported data breaches involved paper records. Efforts may be focused on protecting electronic health records, but the breach figures show that paper records should not be neglected.

Healthcare providers reported the most breaches (92%) in September. Two health plan data breaches were reported and one was reported by a HIPAA business associate. According to the report, healthcare organizations have been faster at identifying breaches in September, taking just 151 days between the discovery of the breach and submitting a breach notification to the Department of Health and Human Services’ Office for Civil Rights. In August, the average time between discovery and reporting was 558 days.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of