Protenus releases February health data breach statistics

Posted on by Dissent

So what kind of month was February for breaches in the healthcare sector? Protenus has released its February Breach Barometer based on incidents compiled by this site.  As a reminder: their analyses do not rely solely on HHS’s public breach tool.

As in past months, insider incidents – whether accidental or intentional wrongdoing – comprised a significant percentage of the incidents.  But while insider incidents accounted for 58% of reports last month, hacking incidents were down, accounting for only 12% of reported incidents. That number seems somewhat surprisingly low in light of all the alarms sounded about ransomware being on the rise and how PHI is a vulnerable target for external attackers. Healthcare It News has also noted the surprisingly low rate of reporting on ransomware incidents that are presumably occurring. They offer several possible explanations.

Overall, February incidents accounted for more than 200,000 breached patient records, a number that is significantly lower than many prior months and a far cry from last summer’s figures when hackers were putting entire databases up for sale on the dark web.

Seven of the 31 incidents included in the February analyses involved third party breaches, although you wouldn’t know that if you relied solely on HHS’s public breach tool, as that tool only indicates two third-party incidents.

Of particular note, Protenus’s report highlights yet again how long it takes for some entities to discover and/or disclose breaches. Two of the 31 incidents in the February data took more than 5 years to discover. One involved insider snooping and one involved a software glitch that had apparently resulted in mismailing for more than five years until the problem was discovered.

The incidents included in Protenus’s February analysis involved the following entities. Reports on many of these incidents can be found by searching this site, although for some incidents, we were unable to obtain any information. The largest incident disclosed during the month involved the City of Houston not securely wiping drives that were then sold at auction.

  • 2020 On-Site Optometry
  • Allina Health System
  • Bloom Physical Therapy, LLC dba Physicians Physical Therapy Service
  • California Correctional Health Care Services
  • Capital Prosthetic & Orthotic Center, Inc.
  • Catalina Post-Acute Care and Rehabilitation
  • Chadron Community Hospital & Health Services
  • City of Houston
  • Desert Orthopedics
  • Equipomed Care Corp.
  • Family Medicine East, Chartered
  • Family Services Rochester
  • Group Health Incorporated
  • Hillsborough County Aging Services
  • Jeffrey D. Rice, O.D., L.L.C. (Vision Source)
  • Leo Edwards, Jr., MD
  • Medical Information Management Systems, LLC
  • Monack Medical Supply
  • North Carolina Department of Health and Human Services
  • PIP Printing and Marketing Services
  • RCM Health Care Services
  • Robert E Torti, MD, PA dba Retina Specialists
  • South Fulton Mental Heath Center
  • St. Joseph’s Hospital and Medical Center
  • Syed Ahmed, MD PA
  • Universal Care, Inc. DBA Brand New Day
  • University of North Carolina School of Dentistry
  • Vanderbilt University Medical Center
  • Veterans Affairs – St. Louis
  • Walgreen
  • WVU Medicine University Healthcare
Category: Breach IncidentsCommentaries and Analyses