Summary of January 2017 Healthcare Data Breaches Released

Protenus, in conjunction with, has released a summary of January 2017 healthcare data breaches. The report shows that 2017 started where 2016 left off, with similarly high numbers of healthcare data breach reported.

January 2016 saw the lowest number of data breaches of any month in 2016 (21) and also the lowest number of records exposed of any month in the year (104,056 records). 2017 did not start nearly as well. While lower than the average monthly breaches for 2016 (37.5), January saw 31 healthcare data breaches disclosed. Those breaches resulted in the exposure of 388,307 patient and health plan member records.

The largest healthcare data breach of January 2017 affected CoPilot Provider Support Services, Inc. The breach impacted 220,000 individuals. However, the breach actually occurred in October 2015, with CoPilot discovering the incident two months later in December 2015. The Department of Health and Human Services’ Office for Civil Rights was only notified of the incident last month, well outside the 60-day deadline for reporting breaches.

That was a recurrent theme in January. According to the Breach Barometer report, 40% of HIPAA-covered entities that disclosed in January 2017 reported the incident outside of the 60-day reporting window of the HIPAA Breach Notification Rule. January also saw the first settlement with a covered entity based solely on delayed breach notifications. Presense Health paid OCR $475,000 after breach notifications were delayed by a month.

In January, 12 hacking and IT incidents were disclosed which resulted in the theft of 145,636 records. Those incidents also included phishing attacks on covered entities. However, the biggest cause of healthcare data breaches by far was insider incidents. 58.4% of breaches, where the cause was known, and 59.2% of breached records (230,044) were the result of insiders.

Protenus reports that four incidents were the result of insider wrongdoing and 4 incidents were the result of insider errors.

Healthcare providers were the worst affected with 25 incidents in January, four health plans disclosed data breaches, and two business associates of covered entities reported breaches.

The average number of days between the breach occurring and the incident being reported to OCR was 174 days. It took an average of 123.5 days for healthcare organizations to discover a breach had occurred.

Healthcare data breaches in January 2017 were spread across 21 states, with California accounting for the highest number (6) followed by Maryland (3).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.