November 2016 Breach Barometer Report: Worst Month for Health Data Breaches

The November 2016 Breach Barometer Report from Protenus provides a snapshot of the state of healthcare data security, cataloging the health data breaches that occurred last month. The report is released each month and provides a useful record of HIPAA breaches throughout the year.

While the total number of health records exposed or stolen in November fell from the previous month, and November figures are the seventh lowest of the year, the November 2016 Breach Barometer Report shows that November has been the worst month of the year for the number of security incidents reported.

In November, 57 healthcare institutions reported a security incident that resulted in the exposure of more than 500 healthcare records, eclipsing the total for last month. August was the worst month of the year for data breaches with 42 incidents reported. November’s figures are 35% worse.

There has been some variation month by month, but the general trend is an increase in breaches as the year has progressed. 2016 has already been the worst year on record for healthcare data breaches in terms of the number of incidents that have occurred, and there is still one month’s figures to add to the total.

According to the November 2016 Breach Barometer Report, last month 458,639 healthcare records were exposed or stolen. 40 incidents were reported by healthcare providers, 11 incidents by health plans, and three incidents were reported to the Department of Health and Human Services’ Office for Civil Rights by business associates of covered entities. However, business associates were involved to some degree in 25 incidents out of 57 in November.

The largest cause of breaches was insiders, which were responsible for 54.4% of security breaches. In the majority of cases, those incidents were not deliberate and were the result of errors made by healthcare or IT staff. Protenus reports that 17 incidents were due to errors and 14 were malicious. The number of individuals impacted by those breaches have only been disclosed by 12 organizations, but so far, at least 264,099 healthcare patients and health plan members have been impacted by those breaches.

Hacking incidents fell month on month with only 6 incidents reported, although those breaches resulted in 102,883 patients and plan members having their data stolen. Ransomware was used in three attacks on healthcare institutions in November, and one other extortion attempt was reported after a hacker stole data and demanded payment not to sell the records on the black market.

While the monthly total is considerably higher than previous months, this is due to two incidents that involved multiple healthcare organizations. A breach at Ambucor Health Solutions and a separate incident affecting EMR4All/Rehab Billing Solutions impacted multiple healthcare organizations. Those organizations were required to report those breaches separately. 11 organizations issued breach reports to OCR about the Ambucor breach, while the EMR4All incident saw 9 healthcare organizations issue breach reports. Even when these breaches are taken into consideration, the total for the month is still high.

Healthcare organizations are required to report data breaches within 60 days of discovery under Health Insurance Portability and Accountability Act (HIPAA) Rules; however, many of the breaches reported in November were late. 65% of healthcare organizations reported their incidents outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. Late reporting of data breaches could potentially result in a hefty fine by OCR.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of