July 6, 2016

Monthly Breach Barometer: Staggering 11 Million Patient Records Breached

It’s been an intense summer for the healthcare industry. The annual cost to the healthcare industry attributable to breaches of patient information is now more than $6.2B.* Today, Protenus is launching its new monthly Healthcare Breach Barometer with data compiled and provided by DataBreaches.net. The Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry and includes data from HHS.

11 Million Patient Records Breached in June

In what we hope will prove to be an anomaly, a large number of patient record systems were breached in June, including five medical databases. More than 11 million patient records were reported as breached last month, far more than any previous month’s total in 2016. The impact and rate of breaches illustrates how vulnerable the healthcare industry remains, as well as the need to proactively protect patient privacy and data with new technologies.

Key Findings for June 2016

A total of 29 incidents in the United States involving PHI or medical/health information were first disclosed or reported in June. A similar number was reported in May. There were 137 reported incidents for the first half of the year (the latter figures are according to HHS).

2016Incidents.png
2016 Incidents Involving PHI or Medical/Health Information

Over 11 million (11,061,649) records, representing the 23 of 29 incidents for which exact numbers were available, were reported breached in June. The bulk of these record breaches is attributable to a single hacking incident that included a large insurer database (10.3 million records). In contrast, breached records for May totaled only 691,892, according to HHS.

2016Breaches.png
2016 Number of Breaches (hacked database included)

41.4 percent of reported breach incidents involved hacking, 41.4 percent involved insider wrongdoing/error and 17.2 percent involved theft/loss of devices or paper records. Interestingly, in the 23 incidents for which information is available, 9 involved business associates (BAs) or vendors--with six stemming from the same BA. The number of business associates with access to patient records via EHR systems increasingly creates new security complexities for health systems to manage.

Types-of-Incidents.png
Types of Incidents

86 percent of breaches were healthcare providers (24), followed by three breaches of health plans and one that involved an NFL sports team (although it is not confirmed if the records are covered by HIPAA).

Violators.png
Incidents by Entity Type

Eighteen states are included in 25 of the 29 incidents. Virginia had the most reports (four) of any state.

States.png
Number of Breaches by State

* 2016 Cost of a Data Breach Study: Global Analysis from IBM and Ponemon Institute

**HHS' public breach report may represent different dates than incidents previously reported in the media, on the entity's website, or on the state attorney general's site that make breach notifications publically available. June figures are compiled by DataBreaches.net and may represent breaches not yet included in HHS data.