DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

2022 Mid-Year Healthcare Data Breach Deep Dive — Protenus

Posted on August 2, 2022 by Dissent

Amanda Rogers writes:

As we’re now midway through 2022, we thought we’d take a half-time pause to compare some data breach statistics in the healthcare space for the first half of 2022 to the first half of 2021. We’ll also provide insight on how to proactively take a stand to better protect your patients and organization.

In this post, we’ll use the United States Department of Health and Human Services (HHS) public breach tool as well as data compiled by DataBreaches.net (“DataBreaches”) for Protenus.

I hope you’ll all read the mid-year blog post. In one respect, though, it turns out that it doesn’t matter if you use HHS’s statistics or DataBreaches.net’s larger dataset: the number of incidents was down in the first half of 2022 compared to 2021, as was the number of records impacted. But while the percent of incidents attributable to hacking increased slightly in 2022 from 75% to 80%, the percent of incidents attributable to business associates decreased from 42% to 36%. Whether those smallish changes will be maintained by the end of they year or when more data becomes available remains to be seen.

But let me use this post to take a deeper look into HHS’s breach tool when it comes to business associate reports.

Unfortunately, and although Protenus gets it right, a number of other sites misreport data on business associates based on HHS’s public breach tool. The misreporting occurs if they confuse the number of incidents reported by a business associate with the number of business associate incidents. Their mistake is somewhat understandable if you understand that while HHS’s reporting form asks the reporting entity if a business associate was involved, the entity’s response does not appear on the breach tool unless you either manually expand each entry to see each entity’s response or export the database and then look at a field in the Excel sheet that asks Yes or No for Business Associate?

Some sites who try to report statistics based on HHS do not seem to realize that simply counting the number of incident reports submitted by “Business Associates” significantly underestimates the number of incidents that were attributable to  business associates. Thus, for the first half of 2021, Protenus reported:

44 reports were submitted by business associates, but a deeper dive into HHS’s tool reveals that 156 of all incidents in the data set (42%) involved business associates.

So one take-home message is this: the number of incidents submitted by business associates is not the same as the number of reports involving business associates.  If you want to know the latter, you will have to dig deeper into HHS’s breach tool. But even if researchers know to expand the breach tool or export it,  they immediately encounter a second issue: how to differentiate the number of reports that involved  business associates from the number of unique incidents involving business associates?

Some business associate incidents may be reported, in part, by the business associate on behalf of some covered entities while other clients of the business associate may file on their own behalf.  Determining how many unique incidents there are in any time period requires the researcher to know whether each report on the breach tool is due to a business associate breach that has already been counted in any incident counter or is a new and previously unreported incident.

Imagine, for  a moment, if all 650+ clients of one business associate each filed individual breach notifications with HHS. The numbers we’d get might totally distort our understanding of how many breaches involving business associates occurred that year.

HHS’s public breach tool does not permit the kind of analysis researchers need because even in its expanded form or exported form, HHS’s breach tool generally does not name the business associate involved in a breach reported by a provider/covered entity. Or if the business associate is the reporting entity, HHS’s note may not name the covered entity or entities affected. We generally cannot determine from HHS’s breach tool how many reports might be related to the same business associate incident.

In a more helpful world, HHS’s breach tool would enable us to look at business associate breaches in a framework that allows us to cluster associated reports.

In 2022, discriminating between the number of reports involving business associates and the number of unique incidents involving business associates will remain challenging because of the number of large incidents involving business associates that we have already learned about this year.

I’ll have more to say about my wish list for revising HHS’s breach tool in the future, but in the meantime, go read Protenus’s blog


Related:

  • Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
  • Two more entities have folded after ransomware attacks
  • Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
  • Missouri Adopts New Data Breach Notice Law
  • Qantas obtains injunction to prevent hacked data’s release
Category: Breach IncidentsCommentaries and Analyses

Post navigation

← Crypto Bridge Nomad Drained of Nearly $200 Million in Exploit
First Choice Community Healthcare discloses breach but doesn’t reveal it was a ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • U.S. nuclear and health agencies hit in Microsoft SharePoint breach
  • Russia suspected of hacking Dutch prosecution service systems
  • Korea imposes 343 million won penalty on HAESUNG DS for data breach of 70,000 shareholders
  • Paying cyberattackers is wrong, right? Should Taos County’s incident be an exception?
  • HHS OCR Settles HIPAA Ransomware Investigation with Syracuse ASC for $250k plus corrective action plan
  • IVF provider Genea notifies patients about the cyberattack earlier this year.
  • Key figure behind major Russian-speaking cybercrime forum targeted in Ukraine
  • Clorox Files $380M Suit Alleging Cognizant Gave Hackers Passwords in Catastrophic 2023 Cyberattack
  • Cyberattacks Paralyze Major Russian Restaurant Chains
  • France Travail: At least 340,000 job seekers victims of new hack

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Indonesia asked to reassess data privacy terms in new U.S. trade deal
  • Meta Denies Tracking Menstrual Data in Flo Health Privacy Trial
  • Wikipedia seeks to shield contributors from UK law targeting online anonymity
  • British government reportedlu set to back down on secret iCloud backdoor after US pressure
  • Idaho agrees not to prosecute doctors for out-of-state abortion referrals
  • As companies race to add AI, terms of service changes are going to freak a lot of people out. Think twice before granting consent!
  • Uganda orders Google to register as a data-controller within 30 days after landmark privacy ruling

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report