DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The 2024 Breach Barometer reports a staggering 171 million patient records breached. And that’s just the ones we know about.

Posted on March 19, 2024 by Dissent

Each year,  many news sites add up the number of reports on HHS’s public breach tool and then add up the number of records reported for those incidents.  For 2023, that came to 725 reports and about 135 million records.  Those numbers are disturbing, but not as disturbing as the numbers out today by Protenus.

Protenus’s annual Breach Barometer®  uses a somewhat different collection and analysis approach to breaches of medical or patient data involving U.S. entities. For 2023, they reported 1,161 reports and 171,139,241 breached records for the reports where numbers were available:

A staggering 171 million patient records were breached in 2023. This number includes both breaches reported to HHS under HIPAA and incidents involving health data not covered by HIPAA but held by U.S. entities. A further breakdown of the data shows that in 2023, there were 1,161 reports published on both covered and non-covered entities (Figure 1), impacting a total of 171,139,241 breached records (Figure 2). For comparison, in 2022 there were 1,138 reports affecting a total of 59,664,152 breached records.

[…]

Year over year, the number of breaches reported increased 2% in 2023: while the number of actual incidents dropped 1%, to 942 in 2023, compared to 956 in 2022 and 905 in 2021. However, the number of patient records affected in 2023 was up 187% over 2022, when a total of 171,139,241 patient records were compromised (320% over 2020) in 942 incidents where this measure of breach impact was known.

As Protenus reports, the true number of breached records is  unknown because although numbers are reported for each report to HHS on its public breach tool:

  • In more than 50 cases, reporting entities used “markers” of 500 or 501 for the number affected if they did not yet know the true number or scope;
  • Reports to states or or those affected are not generally not required by law to include the total number affected;
  • Most states do not require reports to be sent to a central state agency that makes them available; and
  • It was often difficult to know whether a business associate report was for all of its clients or only some of them.

In previous reports, Protenus provided subcategory data on ransomware attacks vs. hacking incidents that did not involve encryption. That analysis was abandoned for the 2023 data because entities were so non-transparent in disclosures that it was often impossible to determine if an incident was a ransomware attack or not.

The 2024 Breach Barometer® also looks at HHS OCR’s response to breaches and HHS’s 2022 annual report released last month. Of special note here, for  2022, HHS OCR  reported three instances in which their investigation resulted in resolution agreements with monetary penalties and corrective action plans. It is clear that HHS prefers an educational approach to a punitive approach, and they report an unspecified number of investigations that resulted in voluntary corrective action by entities with HHS’s assistance, but only three resolution agreements with monetary penalties?  What should we expect to see for 2023 when so many entities did not disclose timely and often allegedly failed to comply with the HIPAA Security Rule?

The full report can be found at https://www.protenus.com/breach-barometer-report

DataBreaches.net has been proud to collaborate with Protenus on its annual reports each year because Protenus truly appreciates how even small-N incidents like an employee snooping on a few patients’ records are a serious problem.  Stop by their site, make a call, or drop Protenus a line to find out more about how they can help you prevent and monitor for unauthorized insider activity.

 

 

No related posts.

Category: Commentaries and AnalysesHealth DataOf NoteU.S.

Post navigation

← Decreasing ransomware attacks: two strategies to consider
“Lifelock” pleads guilty to hacking and fraud charges →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.