DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The 2024 Breach Barometer reports a staggering 171 million patient records breached. And that’s just the ones we know about.

Posted on March 19, 2024 by Dissent

Each year,  many news sites add up the number of reports on HHS’s public breach tool and then add up the number of records reported for those incidents.  For 2023, that came to 725 reports and about 135 million records.  Those numbers are disturbing, but not as disturbing as the numbers out today by Protenus.

Protenus’s annual Breach Barometer®  uses a somewhat different collection and analysis approach to breaches of medical or patient data involving U.S. entities. For 2023, they reported 1,161 reports and 171,139,241 breached records for the reports where numbers were available:

A staggering 171 million patient records were breached in 2023. This number includes both breaches reported to HHS under HIPAA and incidents involving health data not covered by HIPAA but held by U.S. entities. A further breakdown of the data shows that in 2023, there were 1,161 reports published on both covered and non-covered entities (Figure 1), impacting a total of 171,139,241 breached records (Figure 2). For comparison, in 2022 there were 1,138 reports affecting a total of 59,664,152 breached records.

[…]

Year over year, the number of breaches reported increased 2% in 2023: while the number of actual incidents dropped 1%, to 942 in 2023, compared to 956 in 2022 and 905 in 2021. However, the number of patient records affected in 2023 was up 187% over 2022, when a total of 171,139,241 patient records were compromised (320% over 2020) in 942 incidents where this measure of breach impact was known.

As Protenus reports, the true number of breached records is  unknown because although numbers are reported for each report to HHS on its public breach tool:

  • In more than 50 cases, reporting entities used “markers” of 500 or 501 for the number affected if they did not yet know the true number or scope;
  • Reports to states or or those affected are not generally not required by law to include the total number affected;
  • Most states do not require reports to be sent to a central state agency that makes them available; and
  • It was often difficult to know whether a business associate report was for all of its clients or only some of them.

In previous reports, Protenus provided subcategory data on ransomware attacks vs. hacking incidents that did not involve encryption. That analysis was abandoned for the 2023 data because entities were so non-transparent in disclosures that it was often impossible to determine if an incident was a ransomware attack or not.

The 2024 Breach Barometer® also looks at HHS OCR’s response to breaches and HHS’s 2022 annual report released last month. Of special note here, for  2022, HHS OCR  reported three instances in which their investigation resulted in resolution agreements with monetary penalties and corrective action plans. It is clear that HHS prefers an educational approach to a punitive approach, and they report an unspecified number of investigations that resulted in voluntary corrective action by entities with HHS’s assistance, but only three resolution agreements with monetary penalties?  What should we expect to see for 2023 when so many entities did not disclose timely and often allegedly failed to comply with the HIPAA Security Rule?

The full report can be found at https://www.protenus.com/breach-barometer-report

DataBreaches.net has been proud to collaborate with Protenus on its annual reports each year because Protenus truly appreciates how even small-N incidents like an employee snooping on a few patients’ records are a serious problem.  Stop by their site, make a call, or drop Protenus a line to find out more about how they can help you prevent and monitor for unauthorized insider activity.

 

 

Category: Commentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Decreasing ransomware attacks: two strategies to consider
“Lifelock” pleads guilty to hacking and fraud charges →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.
  • CoinMarketCap Hacked, Scrambles to Remove Malicious Wallet Verification Popup
  • Montana Attorney General launches investigation into Lee Enterprises data breach
  • AT&T gets preliminary approval for $177 million data breach settlement
  • Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Former JBLM soldier pleads guilty to attempting to share military secrets with China
  • No, the 16 billion credentials leak is not a new data breach — a wake-up call about fake news (Updated)
  • Tonga’s health system hit by cyberattack (1)
  • Russia Expert Falls Prey to Elite Hackers Disguised as US Officials
  • Proposed class action settlement in In re Netgain Technology litigation

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data
  • US Judge Invalidates Biden Rule Protecting Privacy for Abortions
  • DOJ’s Data Security Program: Key Compliance Considerations for Impacted Entities
  • 23andMe fined £2.31 million for failing to protect UK users’ genetic data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.