DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Protenus releases its 2023 Breach Barometer for Health Data Breaches

Posted on February 21, 2023 by Dissent

Protenus LLC has released its seventh annual Breach Barometer report. Unlike other analyses that seem to rely solely on reports to the U.S. Department of Health and Human Services, the Breach Barometer uses a broader lens and includes reports from non-HIPAA entities that involved medical data or health insurance information on employees or patients.

There are other important methodological differences between the Breach Barometer and other analyses for the healthcare sector that warrant mention before turning to the findings. One is that HHS’s public breach tool for incidents larger than 500 patients should be viewed as the number of reports submitted between January 1 of the year and December 31 of the year.  In a number of cases, there may be numerous reports all stemming from one incident. Thus, the number of reports submitted to HHS does not represent the number of new incidents reported to HHS during the year.

For 2022, DataBreaches.net, in collaboration with Protenus, compiled 1,138 reports from 956 unique incidents. Compared to 2021, that represents an 8% increase in the number of reports and a 6% increase in the number of unique incidents. There was also a 6% increase in the number of incidents for which we had any numbers, however partial they might be. Given the relatively small increase year over year, it is noteworthy that there was an 18% increase in the number of breached records from 2021 to 2022.

Consistent with trends noted in previous Barometer reports, hacking accounted for 75% of all reported new incidents and 86% of all reported breached records.

Remember the exciting news about how payments to ransomware gangs were decreasing? The Breach Barometer comments:

While on paper it appeared that ransomware payments were trending downward as more organizations did not pay, it does not mean the number of attacks are waning. According to Rebecca Moody, head of data research at cybersecurity research firm Comparitech, “accurately gauging ransomware attack trends continues to be complicated by the fact that so many incidents never publicly come to light.” In 2022, we observed a shift in how covered entities or victims reported ransomware attacks. As these attacks are increasingly called a “security incident” or “cyberattack”, public disclosures therefore do not give us a real sense of how many ransomware attacks there were against healthcare entities last year, in how many cases PHI was encrypted and/or services were disrupted, and in how many cases entities paid ransom.

Lack of information in government-mandated breach notifications appears to be a problematic nationwide trend — two-thirds of all data breach notices in 2022 didn’t disclose enough details on causes and potential risk to help victims better protect themselves, according to an annual data breach report released by the Identity Theft Resource Center, a non-profit organization focusing on identity crime. Says IDTRC CEO Eva Velasquez, “The result of these trends is less reliable data that impairs the ability of individuals, businesses and government officials to make informed decisions about the risk of a data compromise and the actions to take in the aftermath of one.”

ITRC’s point that individuals are less able to make informed decisions about what actions to take in the aftermath of a breach is a point DataBreaches has made repeatedly over the past few years: entities that do not disclose to those affected that their data has actually been dumped or leaked on the internet are often intentionally withholding critical information that might influence victims’ actions in response to a breach. In too many cases, the only information victims may get that their personal and sensitive information has actually been leaked publicly comes from reports by DataBreaches or other media and news outlets.

DataBreaches continues to urge regulators and legislators to enact and enforce legislation that requires greater transparency by breached entities.

Since Protenus’s first Breach Barometer, Protenus and DataBreaches have continued to urge covered entities to pay greater attention to the security of their business associates. The 2023 Barometer reports:

The number of breached records involving a Business Associate (BA) or third-party jumped nearly 30% year over year to 29,478,169. BAs were involved in 188 of reported incidents in 2022 — approximately 20% of all new and unique breaches reported for the year (Figure 11).

Figure 11 from Breach Barometer shows the percent of BA breaches by type.
Source: 2023 Breach Barometer, Protenus LLC.

BA-related incidents accounted for 49% of all breached records for the year, up from 42% in 2021. Of the breaches involving BAs, the majority — 134 incidents, or 71% — were a result of hacking.

Protenus’s 2023 Breach Barometer also contains statistics on insider breaches. Some involve human errors like mailing errors or misconfigurations. Others involved wrongdoing by employees or employees of business associates.

Insider incidents continue to account for more than 10% of all incidents reported in the year. The number of breached records due to insider error increased 141% from 2021. That number is likely to skyrocket even more in 2023 when we start getting reports from even more entities that did not realize they were transmitting protected health information to analytics firms like Meta. As the Barometer reports:

After the problem was first revealed by a study reported by The Markup, covered entities and Business Associates began to report how many patients may have had their PHI transmitted to Meta or other entities that should not have received PHI. Protenus and DataBreaches have coded these reports as “Insider Error” incidents on the premise that there was no intention to be disclosing PHI via trackers. We expect that there will also be significant reports of this kind in 2023.

Other statistics and patterns included in the 2023 Barometer address the gap between a breach and discovery and from breach to disclosure. There are also state frequency data.

You can access a copy of the free report at https://www.protenus.com/breach-barometer-report

Category: Breach Incidents

Post navigation

← MN: KFI Engineers pays $300k ransom, Black Basta ransomware group thanks…
HardBit 2.0 Ransomware →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.