July healthcare data breaches spike to 39, some going undetected for years

After a staggering 11 million patient records were breached in June, July’s number of total records breached is back down to April’s levels, at 126,930 records (though nearly half of U.S. states had at least one healthcare data breach incident this month). New this month, we present an analysis of the amount of time a breach goes unreported, finding an average time lapse of two years, with as many as six years elapsing in one case.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Findings for July 2016

The growing impact, costs and rate of breaches illustrates how vulnerable the healthcare industry remains. In July, Oregon Health and Science University and The University of Mississippi Medical Center paid fines of $2.7 million and $2.75 million, respectively, to the HHS Office of Civil Rights for HIPAA breaches and alleged violations.

A total of 39 incidents and 126,930 records breached in the U.S. involving PHI or medical/health information were first disclosed or reported in July. The largest single breach of 23,565 was, once again, the work of the hackers known as TheDarkOverLord. Despite the highest total number of incidents so far this year, the number of actual records breached in July isn’t nearly as much as the 11,061,649 records breached in June.

2016 number of records breached
2016 incidents involving PHI or medical/health information

Insider Threats Loom Large

Forty-six percent (18 incidents) of breaches in July were insider incidents, including both accidental and intentional wrongdoings. Twenty-eight percent (11 incidents) of breaches involved hacking or ransomware, including the two databases put up for sale by the TheDarkOverLord on the dark web.

It is worth noting that paper records were involved in nearly 25 percent of incidents, with some records just carelessly left behind or lost. Business associates or vendors continue to be a source of concern and accounted for 24 percent (9 incidents).

Types of incidents, July 2016 health data breaches. *Also includes ransomware and malware incidents; ^ Includes incidents reported in HHS breach tool where there was insufficient information to categorize the incident

Types of Entities Reporting

Eighty-seven percent of breaches were healthcare providers (34 incidents), followed by 8 percent breaches of health plans (3 incidents), 2.5 percent involving a business associate or vendor (1 incident), and 2.5 percent from a U.S Army prison hospital (1 incident).

Types of entities reporting, July 2016 health data breaches

How Much Time Passes Between a Breach and a Breach Report?

The average time lapse between when a breach occurred and when the breach was reported is just over two years (25.5 months) for the 16 breaches in July where the exact time interval is known. This interval data confirms that breaches often go on for months or years before they publically reported. The longest time elapsed from breach to report was over six years. Six organizations reported within three months.

As the chart below illustrates, a lot can happen between a breach occuring and that same breach ultimately being reported to the public, raising some important questions about both detection and reporting protocol in the healthcare industry.

Actual date of breach for breaches reported in July 2016

Which States Have the Most Breaches?

Twenty-three states are included in the 39 total incidents, which is the highest number of monthly incidents so far this year. Texas had six incidents, which is the most reports of any state.

Number of health data breaches by state, July 2016

Sign-up to be one of the first to receive our monthly Breach Barometer (we promise, only the Breach Barometer) via email.