In November, I gave thanks for fewer breach reports
Protenus has released its monthly Breach Barometer, and the statistics for November were something to be thankful for – even if they turn out to be just a brief break from the crush of breach reports we’ve seen every month.
As Protenus reports, there were 28 incidents first disclosed during November. We were able to determine the number of records breached for 25 of those incidents. The total number of breached records for the month was 83,925, which is the lowest monthly total we’ve seen for all of 2016 and 2017.
There were more Insider incidents than Hacking incidents disclosed in November, but hacking would have accounted for more breached records than Insider incidents if we had numbers for all of the hacking incidents. As a reminder, our “Insider” incidents includes both human error incidents as well as intentional wrongdoing by rogue employees.
The following are the breach incidents that were included in Protenus’s November analyses. As always, there may be breaches that were reported during the month on HHS’s breach tool that are NOT included in our analyses because we had reported them previously. Other breaches appear on our list but not on HHS’s breach tool because our list includes incidents involving entities that are not necessarily covered by HIPAA.
As can be seen below, in some cases we were unable to get additional information on an incident, despite sending inquiries or attempting to research an incident. Even when an entity may code an incident as “Hacking/IT Incident” in their submission to HHS, it may be coded as “Unknown” in our system if we were unable to obtain details that support coding it as a hacking incident instead of an Insider-Wrongdoing incident, etc. Links in the list below are to coverage or details on the incident:
- Aetna Inc. – 1,600 – Unknown
- Alere Toxicology – 2,146 – Unknown
- Baptist Health Louisville – 800 – Hacking
- Center for Health Services – 501 – Theft
- Clinical Pathology Laboratories Southeast – 500 – Theft
- Cook County Health & Hospitals System – 727 – Insider-Error at Experian Health
- Department of Social and Health Services’ Behavioral Health Administration/ Western State Hospital – 515 – Insider-Error
- East Central Kansas Area Agency on Aging – 8,750 – ransomware
- Family & Cosmetic Dentistry of the Rockies – 1,850 – Insider-Error
- Florida Blue – 939 – reported breach at Real-Time Health Quotes
- Hackensack Sleep and Pulmonary Center – 16,474 – Hack
- Humana – 5,674 – Insider-Error by Real-Time Health Quotes
- IU Health Ball Memorial Hospital – 1,399 – Lost (and Found)
- Little River Healthcare – Central Texas, LLC d/b/a Little River Waco Ear Nose and Throat – ? – Ransomware
- Lowell General Hospital – 769 – Insider-Wrongdoing
- Medical College of Wisconsin – 9,500 – hacking
- North Carolina Department of Health and Human Services – 6,000 – Insider-Error
- Pulmonary Specialists of Louisville, PSC – ? – Hack
- Rocky Mountain Health Care Services – 909 – Theft
- Roger Williams Medical Center – 60 – Theft
- Shop-Rite Supermarkets, Incorporated – 12,172 – Insider-Error
- Stanford University – 200 – Insider-Error
- Sutter Valley Medical Foundation d/b/a Sutter Medical Foundation – 1,303 – Theft
- Union Labor Life Insurance Company – 665 – Unknown
- UAB Viral Hepatitis Clinic – 652 – Loss
- UPMC Susquehanna -1200- Hacking
- Valley Family Medicine – 8,450 – Insider-Wrongdoing
- Wilbraham, Lawler & Buba, P.C. – ? – ransomware
As the year draws to a close, I have started compiling statistics for December and for Protenus’s annual report on breaches involving health data. If you’re not on their free subscription list already, you may wish to sign up so you will be notified when the reports or webinars are available.