Healthcare Data Breaches: A Year in Review | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Healthcare Data Breaches: A Year in Review

January 13, 2017
by Heather Landi
| Reprints
Click To View Gallery

The latest year-in-review Breach Barometer report from Protenus paints a stark picture—2016 averaged at least one health data breach per day, affecting more than 27 million patient records.

Protenus, a healthcare cybersecurity vendor, develops the Breach Barometer reports in collaboration with and the annual analysis is based on 450 breach incidents either reported to the U.S. Department of Health and Human Services (HHS) or disclosed in the media or other sources during the year. With more than one health data breach per day for the entire year, these breaches resulted in 27,314,647 affected patient records.

“Even as healthcare leaders became increasingly aware of the importance of health data protection, the number of breach incidents remained relatively steady each month of the year, highlighting the continued threat to patient data,” the report authors wrote.

If 2016 trends continue, according to the report authors, 2017 can expect to see a continued average of at least one health data breach disclosed per day.

Some key highlights from the breach barometer report on 2016 health data breaches:

  • Close to half (43 percent) of the data breaches (192 incidents) were a result of insiders, affecting 2 million patient records.
  • Of the insider incidents for which data was available, 99 were a result of insider-error or accident and 91 incidents were a result of wrongdoing.
  • The average number of breached patient records due to insider-error was more than three times the number attributed to insiders with malicious intent.
  • Hacking and ransomware were responsible for 27 percent of all healthcare data breaches
  • Hacking incidents impacted 23,695,069 patient records
  • There were so many patient records put up for sale on the dark web in 2016 that the price per record dropped significantly as the market become flooded.
  • While hacking accounted for the majority of patient records breached in 2016, insider incidents resulted in a larger number of breach incidents (120 vs. 192 respectively).
  • On average, health data breaches take 233 days to discover and 344 days to report
  • The time to discovery specifically in cases of insider wrongdoing was more than double that—607 days.

The report authors concluded, “This year’s data has shown that the frequency of breaches has been steady and will continue to be until health data security becomes a top priority for healthcare organizations. This data shows that external or internal bad actors are not being deterred from wreaking havoc on healthcare organizations and their patients. 2017 will continue to see this level, or even greater levels, of health data breaches if healthcare organizations don’t take steps to reduce their risk.”

Further, the report authors emphasized the need to focus on insider threats.

“The healthcare industry should prepare for an increase in insider health data breaches until organizations further require additional training and utilize technology to detect inappropriate accesses to the medical record, further reducing their breach risk,” the report authors wrote.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.