2017 Breach Report: 477 Breaches, 5.6M Patient Records Affected | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

2017 Breach Report: 477 Breaches, 5.6M Patient Records Affected

January 23, 2018
by Heather Landi
| Reprints

Although 2017 saw fewer massive health data breaches when compared to 2016, there was still an average of at least one health data breach per day throughout the entire year, according to a year in review report from cybersecurity software company Protenus.

Progress is being made, but there is still much that healthcare organizations must do in order to ensure that the patient data entrusted to them is properly secured, Protenus' Breach Barometer 2017 year-in-review report states.

In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media, and information available for 407 of those incidents, which affected a total of 5.579 million patient records, according to Protenus, which tracks disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

Comparing these numbers with those of last year and Protenus reports that there was a slight increase in the number of breaches (450 in 2016 compare to 477 last year), but there was also a drastic decrease in the number of affected patient records—27.3 million records breached in 2016, over five times greater than the number of records affected in 2017.

The single largest breach reported in 2017 (figure 3) was the result of insider-wrongdoing. It involved two separate occasions in which a hospital employee inappropriately accessed the billing information of 697,800 patients on an encrypted USB and CD, according to the report.

In 2017, insider incidents (insider-error or insider-wrongdoing) continued to be a significant challenge for healthcare organizations, as insiders were responsible for 176 incidents last year. The report notes that one incident remaining undiscovered for 14 years. Insiders were responsible for 37 percent of the total number of breaches this year, which is similar to 2016 findings.

Protenus had information for 143 of those incidents, which affected 1.6 million patient records (30 percent of total affected patient records). This year’s insider-related incidents and patient records were lower than those in 2016, where 192 incidents were disclosed and 2 million patient records were affected.

Insider-error affected 785,281 patient records and insider-wrongdoing affected 893,978 records, which shows that more patient records were breached by insiders with malicious intent than by insider-error even though there were fewer insider-wrongdoing incidents.

Another key finding from the report is that hacking incidents that include ransomware/malware seemingly doubled from 2016 to 2017. Protenus found that hacking incidents were constant throughout the year with a total of 178 incidents in 2017 (37 percent of all 2017 breaches), with information available on 144 of those incidents, which affected 3.4 million patient records

In 2016, there were 120 hacking incidents—those incidents accounted for 87 percent of all affected records (23.7 million patient records). As a result, although there were 58 more hacking incidents in 2017, there was a significant decrease in the number of records that those incidents affected. This can be attributed to the lack of the massive hacking incidents like those seen in 2016.

Also noteworthy, healthcare organizations in 2017 reported many more incidents of ransomware and malware. There were only 30 incidents reported in 2016, whereas in 2017, 64 incidents were reported that specifically mentioned ransomware or malware. “It is entirely possible, however, that this increase in ransomware attacks is simply due to the fact that more organizations are better about reporting ransomware and have taken OCR’s guidance on what to do when an organization has experienced a ransomware attack,” the report states.

Eighteen of the 178 hacking incidents mentioned the use of other types of ransomware or extortion methods, and 31 incidents involved phishing attacks.

Last year, Protenus predicted that 2017 would be the “year of insider breach awareness.” And, Protenus notes that although there was not a substantial shift in insider-related breaches, overall awareness has increased with better reporting and guidance from HHS and  OCR on what to do in the aftermath of a breach. “To see continued improvement in detection and reporting in 2018, healthcare leaders will need to build upon the progress made this past year by comprehensively auditing every access to the EHR to ensure threats to patient privacy are proactively detected and mitigated,” the report states.

What’s more, in 2017, there was a significant decrease in the total number of records breached but Protenus notes that experts are unsure if this is an indicator of breach prevention or if malicious actors are taking a breath before a resurgence of attacks in 2018.

The cybersecurity software firm also expects the trend of at least one breach per day that began in 2016 to continue into 2018. In fact, Protenus predicts that there could be an increase in the number of incidents reported to HHS next year, but this would most likely be the result of the industry getting better at breach detection, rather than there actually being more incidents. And, as healthcare organizations gain the ability to monitor every access to the EHR and detect suspicious behavior as soon as it occurs, this will hopefully mean that the industry will continue to see a decrease in the number of records affected by health data breaches in 2018.

The report also found that, in 2017, healthcare entities suffered a setback in the average time taken for breach detection. According to the report, of the 144 health data breaches for which information was available, it took an average of 308 days for an organization to discover that it had suffered a breach, significantly longer than the average of 233 days for breach detection in 2016.

“This setback is partially due to the number of breaches reported in 2017 that had occurred for several years, some over a decade, before they were discovered,” Protenus states.

What’s more, it took an average of 73 days for organizations to report a breach to HHS after it was discovered, which represents an improvement from 2016, when it took an average of 344 days to report to HHS.

However, health data breaches need to be reported to HHS within their required 60-day window, or civil monetary penalties could be levied. “While this improvement is a great sign, we hope to report in 2018 that the yearly average fell within that 60-day window,” Protenus states in the report.

The trends seen in 2017 underscore the need for healthcare organizations to make data security a top priority and need to use the latest advances in technology to protect patient data.


2018 Boston Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

August 7 - 8, 2018 | Boston



Geisinger National Precision Health Hires Illumina Exec to Lead Business Development

Integrated health system Geisinger has hired a high-profile genetic counselor to head up business development for Geisinger National Precision Health, which was created to extend the Geisinger model on the national scene.

$30M VC Fund Launched to Spur Innovation in Cardiovascular Care

The American Heart Association, together with Philips and UPMC, has announced the launch of Cardeation Capital, a $30 million collaborative venture capital fund designed to spur healthcare innovation in heart disease and stroke care.

Epic Wins Labor Dispute in Closely Divided Supreme Court Decision

Epic Systems Corporation won a major labor-law ruling in the Supreme Court on Monday, centering around the extent of corporations’ right to force employees to sign arbitration agreements, and with a 5-4 ruling in its favor

Survey: Two-Thirds of Physician Practices Seeking Out Value-Based Care Consulting Firms

Most physician organizations are not prepared for the move to value-based care, and 95 percent CIOs of group practices and large clinics state they do not have the information technology or staff in-house needed to transform value-based care end-to-end, according to a recent Black Book Market Research.

Cumberland Consulting Buys LinkEHR, Provider of Epic Help Desk Services

Cumberland Consulting Group, a healthcare consulting and services firm, has acquired LinkEHR, which provides remote application support, including Epic help desk services.

Population Health Tool that Provides City-Level Data Expands to 500 Cities

A data visualization tool that helps city officials understand the health status of their population, called the City Health Dashboard, has now expanded to 500 of the largest cities in the U.S., enabling local leaders to identify and take action around the most pressing health needs in their cities and communities.