Report: Data Breach Incidents in March Affected 1.5 Million Patient Records | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Report: Data Breach Incidents in March Affected 1.5 Million Patient Records

April 14, 2017
by Heather Landi
| Reprints
Click To View Gallery

There was a sharp spike in the number of breached patient records as the result of data breach incidents in March, with this month seeing 2.5 times the number of breached records in January and February combined, according to the latest Protenus “Breach Barometer” report.

The Protenus Breach Barometer is a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by This month’s analysis showed 31 breach incidents either reported to the U.S. Department of Health and Human Service or first disclosed in media or other sources, which is the same number of incidents as reported in January.

This report comes on the heels of another cybersecurity study that found that academic medical centers are more likely to experience data breaches than other health systems. A study, published online by JAMA Internal Medicine, and led by a researcher at the Johns Hopkins Carey Business School, found that the risk of data breaches at U.S. hospitals is greater at larger facilities and hospitals that have a major teaching mission. For that study, researchers examined the federal Department of Health and Human Services' statistics on data breaches reported by various health care providers from late 2009 through 2016. They found that 216 hospitals reported a total of 257 breaches during that period, and that 33 of those hospitals—15 percent—were breached at least twice. The researchers also looked at hospitals that reported no data breaches. Comparing these findings with the information from the compromised hospitals, the researchers noted that the breached facilities were larger, with a median number of 262 beds, compared to 134 for the non-breached. More than a third of those breached hospitals also were major teaching facilities.

According to the Protenus report, there were 39 separate breach incidents in March, which is an uptick from the 31 separate breach incidents in February and in January. The 39 incidents in March affected 1,519,521 patient records, Protenus reports, with the largest single incident involving almost 700,000 patient records and was reported to HHS as “theft-other.” The number of breached patient records last month—1.5 million—is a drastic increase from the numbers in January (388,000 patient records) and February (206,000 patient records).

The Protenus report also indicates that insider threats remain significant in healthcare. Insiders were responsible for 44 percent of March’s total breach incidents (17 incidents), affecting 179,000 patient records. Ten of the reported insider incidents were the result of insider-error, and seven of the reported incidents were the result of insider-wrongdoing.

As in previous months, other than February, hacking accounted for a significant percentage of records and incidents (11 incidents accounted for 28 percent of total incidents), Protenus reports. The hacking incidents reported this month affected 600,270 patient records.

So far in 2017, Protenus researchers report, third-party breaches have represented a substantial portion of total breached patient records, 82 percent in January and 21 percent in February. In March, by contrast, third-parties were only responsible for 3 percent (one incident) of total breached patient records.

There is some good news, however, as the report also found that the time to report by healthcare organizations improved in March compared to previous months. Previous Protenus reports have found that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS. Of the incidents reported in March for which Protenus had data, it took an average of 45 days from the time of the breach was discovered to when it was reported to HHS, which signifies a dramatic improvement from the 478 days it took HHS to be notified of breaches reported in February. HHS requires that healthcare organizations report data breach incidents within a 60-day window.

“It should also be noted that HHS OCR has recently started fining entities for not reporting a health data breach within the required time frame. It leads one to ask—have recent OCR fines led to an increase in diligent and prompt reporting of health data breaches?,” the report authors wrote.


Get the latest information on Cybersecurity and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Allscripts Acknowledges Ransomware Attack, Says Impact is “Limited”

Health IT vendor Allscripts has acknowledged that it is investigating a ransomware incident that has impacted a limited number of its applications.

AHRQ to Fund Patient Safety Learning Laboratories

The federal Agency for Healthcare Research Quality plans to spend up to $5 million in fiscal 2018 to support as many as eight patient safety learning laboratories.

RCM Global Software Market to Hit $43.3B by 2022, Report Finds

The global market for healthcare revenue cycle management software is estimated to reach $43.3 billion by the end of 2022, according to a report from Future Market Insights (FMI).

Global Open Source HIT Project Gets $1M Donation From Cryptocurrency Philanthropy

OpenMRS, Inc., an open source medical records platform used in developing countries, has received a $1 million donation from the Pineapple Fund, an $86 million cryptocurrency philanthropy created by an anonymous donor known only as “Pine.”

Media Reports: Massive Data Breach of Norwegian Health Authority Could Impact 3 Million Patients

International media outlets are reporting that a hacker or hacker group breached the systems of Norway’s Health South East EHF, potentially compromising the healthcare data of nearly 3 million patients, or about half of Norway’s population.

Healthcare Groups Call for Improvements to Prior Authorization Process

A collaborative of healthcare organizations, including the American Medical Association, the American Hospital Association, and the Medical Group Management Association, released a joint statement this week calling for improved prior authorization procedures, including automating the process to improve transparency and efficiency.