Protenus: Hacking Incidents are Quickly Discovered, But Insiders Go Undetected | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Protenus: Hacking Incidents are Quickly Discovered, But Insiders Go Undetected

September 21, 2017
by Heather Landi
| Reprints
Click To View Gallery

A report on healthcare data breaches in July and August finds that while hacking incidents are quickly detected, insider breach incidents continue to go unnoticed, which can have a significant impact on healthcare organizations and patients.

There were 33 breach incidents in August that we either disclosed to the U.S. Department of Health and Human Services (HHS) or the media, according to the latest findings from Protenus, which constructs a “Breach Barometer” report each month. The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by

The number of breach incidents, 33, is slightly down from July, which had 36, and June, which had 52 reported breach incidents in the healthcare sector.

For the 31 incidents for which Protenus had numbers, 673,934 patient records were affected.  The largest single incident for which Protenus had numbers involved 266,123 patient records in a hacking incident that involved ransomware.

The shift in health data breaches first mentioned in the July Breach Barometer continues through August, with hacking incidents outweighing insider incidents in both frequency and the number of patient records affected.  In August, healthcare experienced 18 hacking incidents, accounting for 95 percent of all breached patient records. Protenus reports that there were five incidents that specifically mentioned ransomware as the cause of the health data breach.  One organization experienced two phishing attacks in as many months.  

In August, insiders were responsible for 27 percent of breach incidents. Seven of the reported insider incidents were the result of insider-error, Protenus reports, and two of the reported insider incidents were the result of insider-wrongdoing. “In one case, an organization that suffered a hacking incident also ended up suffering from an insider incident during the notification process. The notification letters that included sensitive information were sent to the wrong recipients, creating another breach altogether,” the report authors wrote.

Also of note in the August report, it took an average of 138 days (median = 31 days) for healthcare organizations to discover a breach had occurred. It’s important to note that the mean and median are drastically different given the extreme range of the data, noted the Protenus report: some entities discovered a breach immediately, while one incident went undiscovered for almost two years, a result of insider-wrongdoing. This breach affected 4,721 patient records and went completely unnoticed until the breach was reported to the healthcare organization, according to the Protenus report.

At first glance, it appears that there is an emerging trend that health data breaches are taking significantly less time to discover. However, further analysis by Protenus suggested that the decreasing time to discovery may simply be an artifact of the recent uptick in hacking incidents. For the month of August, time to discover a hacking incident took an average of 26 days (median = 22.5 days), while insider incidents took an average of 209.8 days (median = 115 days).  Generally, hacking incidents are discovered much sooner than insider incidents because of the disruption to the organization’s daily operations.

“This should serve as a reminder to healthcare organizations that while hacking can create a large splash due to the large number of affected patient records in one incident, it is the insider threats to patient data that can go undetected for extended periods of time. This is often the case because insiders have legitimate access to the EHR and ancillary systems. Advanced analytics are necessary to fully understand how patient information is accessed so that when a breach occurs, it can be detected, mitigated, and resolved as quickly as possible,” the report authors wrote.

Drilling down into outside hacking incidents, Protenus also reports that researchers are reporting a resurgence of attacks on unsecured MongoDB installations and Rsync backup devices that are resulting in these devices being wiped out or ransomed. “While it is unclear how many of breached installations or servers contained health or patient data, this should remind healthcare organizations to check configuration settings and test the security of all backup servers and devices,” the report authors wrote.

At the same time, extortion demands and non-automated ransom demands continue to plague the healthcare industry, although in many cases, media reports and HHS reports make no mention of the extortion component. Protenus cites one example in which there was an incident first disclosed in August by a covered entity that involved an attack by TheDarkOverlord (TDO), but the public disclosure did not include reference to the associated extortion attempt.  

What’s more, is also aware of another group of blackhat hackers who have attempted to extort a healthcare entity. Protenus notes that the entity reported the incident to HHS, but there wasn’t a report of the extortion attempt or the fact that the hackers have already dumped approximately 10,000 patients’ records as part of applying pressure to the entity to pay the extortion. “This information reinforces that the HHS tool does not provide the full picture of how health data breaches are truly affecting healthcare,” the report authors noted.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



NIH to Fund Genome Centers for All of Us Program

In May 2018 the National Institutes of Health will solicit applications for large-scale Genome Centers to generate genomic data as part of the All of Us Research Program.

New York State’s PDMP Now Interoperable with 25 States and D.C.

New York Governor Andrew Cuomo announced this week new efforts to combat the opioid epidemic, including advancing partnerships in New York’s prescription monitoring program (PMP) across the country.

Report: Midwest Healthcare Companies Attracted $2.5B in Investments in 2017

Midwest healthcare companies attracted $2.5 billion in new equity investments in 2017, a 38 percent increase over 2016, according to the BioEnterprise Midwest Healthcare Growth Capital Report.

Research: Precision Medicine May Improve Survival in Late-Stage Cancer, Lower Costs

A precision medicine study conducted by researchers from Intermountain Precision Genomics and Stanford University School of Medicine indicates that precision oncology may improve overall survival and lower healthcare costs for advanced cancer patients.

Study: Researchers Use EHR Data to Predict Future Chronic Opioid Use

Researchers at the University of Colorado Anschutz Medical Campus are working to develop statistical models to better predict which patients will be prescribed opioid medications long-term following discharge from a hospital stay.

ONC Avoids 2018 Budget Cuts in New Spending Bill

The Office of the National Coordinator for Health IT’s (ONC) funding for 2018 will hold steady through September, at $60 million, as part of a House spending bill that was passed on Thursday.