HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen.

In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches. 206,151 patients and health plan members had some of their protected health information exposed last month. However, in March the figure jumped to 1,519,521 – more than 2.5 times the number of individuals impacted by healthcare data breaches in January and February combined. Almost half of those individuals had their ePHI exposed in the same incident – a 697,800-record theft incident reported by Commonwealth Health Corporation.

The Protenus report shows insiders were the biggest cause of the healthcare data breaches reported in March, accounting for 44% of the total. There were 10 insider incidents reported in March that involved insider error and seven were the result of insider wrongdoing.

Hacking incidents made up 28% of the total and resulted in the theft or exposure of 600,270 records. 21% of incidents involved the loss or theft of physical records and devices containing ePHI.  While loss and theft was responsible for the fewest data breaches, those incidents resulted in the exposure of the most records in March, with 737,131 individuals impacted by those incidents. The remaining 8% of breaches could not be categorized as the cause has not been disclosed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Healthcare providers were the worst hit, registering 84.6% of the incidents. Four incidents were reported by health plans and there was one breach reported by a business associate.

Protenus reports that virtually all data breaches were reported within the 60-day window of the HIPAA Breach Notification Rule. There was a marked improvement in reporting times, taking an average of 45 days from the discovery of the breach to the submission of the breach report to the Department of Health and Human Services’ Office for Civil Rights. In February, the average time from the discovery of the breach to submitting a report to OCR was 478 days. In March, only two covered entities submitted late breach reports – one took 77 days and another took 89 days.

While California is usually the worst affected state, this month Texas gets that honor with 6 reported incidents. Tennessee, Pennsylvania, Kentucky, and Missouri each had three data breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.