The year is not even two months old and healthcare data breaches are happening daily, says a new report from Baltimore healthcare security and patient privacy firm Protenus.

There were 31 healthcare data breaches in January, compared with 36 in January 2016, Protenus says.

But even though there were slightly fewer incidents, healthcare organizations are taking longer to report data breaches to the federal government and so far this year there have been a greater number of electronic patient records breached compared to January 2016—nearly 200% higher, Protenus says.

In January 388,307 patients’ records were comprised as a result of some type of breach, up 196.3% from 104,056 violations in January in the previous year.

51.6% of breached records—230,044—resulted from access by an unauthorized insider such as a health system employee or an employee working for an approved vendor, Protenus says. That figure also includes patient records stored on a lost or stolen laptop computer or mobile device. A total of 38.7%, or 145,636 records, took place as the result of a data breach.


“The majority of breached patient records were attributable to insider incidents and five of nine insider incidents were the result of insider wrongdoing,” Protenus says in a blog posting. “With 2016 averaging at least one health data breach per day, 2017 is off to a similar start with 31 breach incidents, averaging one data breach for every day of the month.”

Of the 31 reported incidents in January, there were 25 incidents involving healthcare providers (80.6% of all reported incidents), followed by four incidents involving health plans, and two involving third parties such as vendors, Protenus says.

By law a healthcare data breach must be reported within 60 days to the U.S. Department of Health and Human Services Office of Civil Rights, which oversees the process, forms correctional action and issues fines. But healthcare organizations are taking much longer to report an incident—an average of 174 days, Protenus says. “40% of reporting entities for which we have numbers took longer than the 60-day window to report their breach to HHS and HHS has started enforcing this 60-day reporting requirement with heavy fines,” says the Protenus blog.

21 states are represented in the 31 health data breach incidents from January. California remains the state publicly reporting the greatest number of health data breaches with six compared to Maryland with three reported health data breaches, according to Protenus.


Healthcare organizations, more than ever, need to be proactive in discovering and reporting when a breach has occurred,” Protenus says.