Health IT

It took some organizations three years to discover a data breach

Data breaches just keep happening. In May’s Protenus Breach Barometer, three reported breach incidents went undetected for more than three years.

data breach, cybersecurity, breach, security

Despite the best cybersecurity efforts, the number of breaches in the healthcare world is remaining fairly constant, according to the latest Protenus Breach Barometer.

The Barometer is based on data provided by

“If the Breach Barometer has taught us anything, it’s not a matter of ‘if’ a healthcare organization will experience a data breach, but simply a matter of ‘when,'” the May Protenus report states.

In the month of May alone, Baltimore, Maryland-based Protenus found there were 37 healthcare breach incidents either disclosed to HHS or the media. Of the 29 incidents for which Protenus had data, 255,108 patient records were impacted.

Though the number of breached records in May is high, it pales in comparison to statistics from March, when 1.5 million patient records were compromised. There were 39 breach incidents that month.

Perhaps the most shocking statistic from May’s Breach Barometer is this: Three incidents went undetected for more than three years.

“This information should serve as a call-to-action for the healthcare industry — the time is over to bury our heads in the sand,” according to Protenus. “We should learn from one another on steps that can be taken to reduce the overall risk of experiencing a breach, as well as openly discuss the industry’s privacy and security shortfalls.”

This number becomes all the more shocking when one considers that HHS requires entities to report breaches within a 60-day timeframe.

On top of that, in May, it took an average of 441 days for organizations to find out a breach occurred. In April, it took the average organization 51 days to discover a breach.

On a positive note, Protenus found 83 percent of entities did report their breach to HHS within the required 60 days.

The May breaches stemmed from a variety of causes. While insiders were to blame for 40.54 percent of the total incidents, 35.14 percent of incidents were due to hacking. Another 13.51 percent were caused by loss or theft, and the remaining 10.81 percent is from unknown causes.

The breaches also occurred across multiple sectors of the healthcare industry. Twenty-nine of May’s 37 breaches happened to healthcare providers. Three were reported by health plans, and four were reported by a business associate or third party.

Also of note is the fact that the 37 breaches occurred in 19 states. California led the way in the highest number of incidents (six). Florida and Texas followed suit, with five and four incidents, respectively.

Photo: Rawpixel Ltd, Getty Images