DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The 2024 Breach Barometer reports a staggering 171 million patient records breached. And that’s just the ones we know about.

Posted on March 19, 2024 by Dissent

Each year,  many news sites add up the number of reports on HHS’s public breach tool and then add up the number of records reported for those incidents.  For 2023, that came to 725 reports and about 135 million records.  Those numbers are disturbing, but not as disturbing as the numbers out today by Protenus.

Protenus’s annual Breach Barometer®  uses a somewhat different collection and analysis approach to breaches of medical or patient data involving U.S. entities. For 2023, they reported 1,161 reports and 171,139,241 breached records for the reports where numbers were available:

A staggering 171 million patient records were breached in 2023. This number includes both breaches reported to HHS under HIPAA and incidents involving health data not covered by HIPAA but held by U.S. entities. A further breakdown of the data shows that in 2023, there were 1,161 reports published on both covered and non-covered entities (Figure 1), impacting a total of 171,139,241 breached records (Figure 2). For comparison, in 2022 there were 1,138 reports affecting a total of 59,664,152 breached records.

[…]

Year over year, the number of breaches reported increased 2% in 2023: while the number of actual incidents dropped 1%, to 942 in 2023, compared to 956 in 2022 and 905 in 2021. However, the number of patient records affected in 2023 was up 187% over 2022, when a total of 171,139,241 patient records were compromised (320% over 2020) in 942 incidents where this measure of breach impact was known.

As Protenus reports, the true number of breached records is  unknown because although numbers are reported for each report to HHS on its public breach tool:

  • In more than 50 cases, reporting entities used “markers” of 500 or 501 for the number affected if they did not yet know the true number or scope;
  • Reports to states or or those affected are not generally not required by law to include the total number affected;
  • Most states do not require reports to be sent to a central state agency that makes them available; and
  • It was often difficult to know whether a business associate report was for all of its clients or only some of them.

In previous reports, Protenus provided subcategory data on ransomware attacks vs. hacking incidents that did not involve encryption. That analysis was abandoned for the 2023 data because entities were so non-transparent in disclosures that it was often impossible to determine if an incident was a ransomware attack or not.

The 2024 Breach Barometer® also looks at HHS OCR’s response to breaches and HHS’s 2022 annual report released last month. Of special note here, for  2022, HHS OCR  reported three instances in which their investigation resulted in resolution agreements with monetary penalties and corrective action plans. It is clear that HHS prefers an educational approach to a punitive approach, and they report an unspecified number of investigations that resulted in voluntary corrective action by entities with HHS’s assistance, but only three resolution agreements with monetary penalties?  What should we expect to see for 2023 when so many entities did not disclose timely and often allegedly failed to comply with the HIPAA Security Rule?

The full report can be found at https://www.protenus.com/breach-barometer-report

DataBreaches.net has been proud to collaborate with Protenus on its annual reports each year because Protenus truly appreciates how even small-N incidents like an employee snooping on a few patients’ records are a serious problem.  Stop by their site, make a call, or drop Protenus a line to find out more about how they can help you prevent and monitor for unauthorized insider activity.

 

 

Category: Commentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Decreasing ransomware attacks: two strategies to consider
“Lifelock” pleads guilty to hacking and fraud charges →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.