Protenus: Improvement Seen in Reporting Data Breaches to HHS | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Protenus: Improvement Seen in Reporting Data Breaches to HHS

May 23, 2017
by Rajiv Leventhal
| Reprints

Over the past few months, healthcare organizations are taking less time to report their data breaches to the U.S. Department of Health and Human Services (HHS), which could be in response to the federal agency now fining organizations for not reporting health data breaches within the required 60-day window.

The findings were the latest from latest Protenus, which constructs a “Breach Barometer” report each month. Indeed, April is the second straight month in which there seems to be noticeable improvement in the time it takes for healthcare organizations to report their breaches to HHS.

Last month, 66 percent of entities reported their health data breach to HHS within the required 60-day window; previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in April for which there is data, it took an average of 51 days for healthcare organizations to discover a breach had occurred.  It also took an additional average of 59 days from the time the breach was discovered to when it was reported to HHS.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by

What’s more, the April report found that 2017 seems to be on a steady course when it comes to the number of breach incidents and number of patient records affected each month.  March totals were significantly higher than April’s totals, mostly due to a single large breach incident in March.  There were 34 separate breach incidents in April, affecting 232,060 patient records.  The 39 incidents in March affected 1,519,521 patient records.

Meanwhile, insiders were responsible for 29 percent of April’s total breach incidents (10 incidents).  Protenus has numbers for eight incidents, affecting 9,251 patient records.  Five of the reported insider incidents were the result of insider-error, affecting 7,037 patient records, and four of the reported incidents were the result of insider-wrongdoing. The report’s authors noted, “While hacking receives significant press coverage, it’s the malicious bad actors that stem from inside healthcare organizations that can cause the most destruction.  This is due to the simple fact that they often go undetected because they have legitimate access to patient data and aren’t the immediately obvious ‘red flag.’”

Once again, hacking accounted for a significant percentage of records and incidents (16 incidents accounted for 47 percent of the total breaches). For the reported hacking incidents for which there are numbers, 171,268 patient records were affected.  There were five incidents in which ransomware was specifically mentioned as the cause of the health data breach, though the authors noted that other breaches might have included ransomware too, but reports for those were unclear.

The report mentioned that in early April, one of the worst cybersecurity incidents of the year occurred in which patient data was stolen from a behavioral health center in Maine and sold to an unknown third party. This incident did not get major national attention many others do, and as the report stated, “It seems that in 2017 the threat has elevated for breaches of this caliber, and entities now have to worry about their patient data being listed for sale on the Dark Web before they even know a breach has occurred.  In 2016, hackers like TheDarkOverlord were giving entities a heads up that their data would be sold if demands were not met. This year, we’ve seen data for sale before any warning or alerts were given to the entity.”

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.