Protenus: Improvement Seen in Reporting Data Breaches to HHS | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Protenus: Improvement Seen in Reporting Data Breaches to HHS

May 23, 2017
by Rajiv Leventhal
| Reprints

Over the past few months, healthcare organizations are taking less time to report their data breaches to the U.S. Department of Health and Human Services (HHS), which could be in response to the federal agency now fining organizations for not reporting health data breaches within the required 60-day window.

The findings were the latest from latest Protenus, which constructs a “Breach Barometer” report each month. Indeed, April is the second straight month in which there seems to be noticeable improvement in the time it takes for healthcare organizations to report their breaches to HHS.

Last month, 66 percent of entities reported their health data breach to HHS within the required 60-day window; previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in April for which there is data, it took an average of 51 days for healthcare organizations to discover a breach had occurred.  It also took an additional average of 59 days from the time the breach was discovered to when it was reported to HHS.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by

What’s more, the April report found that 2017 seems to be on a steady course when it comes to the number of breach incidents and number of patient records affected each month.  March totals were significantly higher than April’s totals, mostly due to a single large breach incident in March.  There were 34 separate breach incidents in April, affecting 232,060 patient records.  The 39 incidents in March affected 1,519,521 patient records.

Meanwhile, insiders were responsible for 29 percent of April’s total breach incidents (10 incidents).  Protenus has numbers for eight incidents, affecting 9,251 patient records.  Five of the reported insider incidents were the result of insider-error, affecting 7,037 patient records, and four of the reported incidents were the result of insider-wrongdoing. The report’s authors noted, “While hacking receives significant press coverage, it’s the malicious bad actors that stem from inside healthcare organizations that can cause the most destruction.  This is due to the simple fact that they often go undetected because they have legitimate access to patient data and aren’t the immediately obvious ‘red flag.’”

Once again, hacking accounted for a significant percentage of records and incidents (16 incidents accounted for 47 percent of the total breaches). For the reported hacking incidents for which there are numbers, 171,268 patient records were affected.  There were five incidents in which ransomware was specifically mentioned as the cause of the health data breach, though the authors noted that other breaches might have included ransomware too, but reports for those were unclear.

The report mentioned that in early April, one of the worst cybersecurity incidents of the year occurred in which patient data was stolen from a behavioral health center in Maine and sold to an unknown third party. This incident did not get major national attention many others do, and as the report stated, “It seems that in 2017 the threat has elevated for breaches of this caliber, and entities now have to worry about their patient data being listed for sale on the Dark Web before they even know a breach has occurred.  In 2016, hackers like TheDarkOverlord were giving entities a heads up that their data would be sold if demands were not met. This year, we’ve seen data for sale before any warning or alerts were given to the entity.”

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study: EHRs Tied with Lower Hospital Mortality, But Only After Systems Have Matured

Over the past decade, there has been significant national investment in electronic health record (EHR) systems at U.S. hospitals, which was expected to result in improved quality and efficiency of care. However, evidence linking EHR adoption to better care is mixed, according to medical researchers.

Nursing Notes Can Help Predict ICU Survival, Study Finds

Researchers at the University of Waterloo in Ontario have found that sentiments in healthcare providers’ nursing notes can be good indicators of whether intensive care unit (ICU) patients will survive.

Health Catalyst Completes Acquisition of HIE Technology Company Medicity

Salt Lake City-based Health Catalyst, a data analytics company, has completed its acquisition of Medicity, a developer of health information exchange (HIE) technology, and the deal adds data exchange capabilities to Health Catalyst’s data, analytics and decision support solutions.

Advocate Aurora Health, Foxconn Plan Employee Wellness, “Smart City,” and Precision Medicine Collaboration

Wisconsin-based Advocate Aurora Health is partnering with Foxconn Health Technology Business Group, a Taiwanese company, to develop new technology-driven healthcare services and tools.

Healthcare Data Breach Costs Remain Highest at $408 Per Record

The cost of a data breach for healthcare organizations continues to rise, from $380 per record last year to $408 per record this year, as the healthcare industry also continues to incur the highest cost for data breaches compared to any other industry, according to a new study from IBM Security and the Ponemon Institute.

Morris Leaves ONC to Lead VA Office of Electronic Health Record Modernization

Genevieve Morris, who has been detailed to the U.S. Department of Veterans Affairs (VA) from her position as the principal deputy national coordinator for the Department of Health and Human Services, will move over full time to lead the newly establishment VA Office of Electronic Health Record Modernization.