In November, I gave thanks for fewer breach reports

Protenus has released its monthly Breach Barometer, and the statistics for November were something to be thankful for – even if they turn out to be just a brief  break from the crush of breach reports we’ve seen every month.

As Protenus reports, there were 28 incidents first disclosed during November. We were able to determine the number of records breached for 25 of those incidents. The total number of breached records for the month was 83,925, which is the lowest monthly total we’ve seen for all of 2016 and 2017.

There were  more Insider incidents than Hacking incidents disclosed in November, but hacking would have accounted for more breached records than Insider incidents if we had numbers for all of the hacking incidents. As a reminder, our “Insider” incidents includes both human error incidents as well as intentional wrongdoing by rogue employees.

The following are the breach incidents that were included in Protenus’s November analyses. As always, there may be breaches that were reported during the month on HHS’s breach tool that are NOT included in our analyses because we had reported them previously. Other breaches appear on our list but not on HHS’s breach tool because our list includes incidents involving entities that are not necessarily covered by HIPAA.

As can be seen below, in some cases we were unable to get additional information on an incident, despite sending inquiries or attempting to research an incident.  Even when an entity may code an incident as “Hacking/IT Incident” in their submission to HHS, it may be coded as “Unknown” in our system if we were unable to obtain details that support coding it as a hacking incident instead of an Insider-Wrongdoing incident, etc. Links in the list below are to coverage or details on the incident:

  1. Aetna Inc. – 1,600 – Unknown
  2. Alere Toxicology – 2,146 – Unknown
  3. Baptist Health Louisville – 800 – Hacking
  4. Center for Health Services – 501 – Theft
  5. Clinical Pathology Laboratories Southeast  – 500 – Theft
  6. Cook County Health & Hospitals System – 727 –  Insider-Error at Experian Health
  7. Department of Social and Health Services’ Behavioral Health Administration/ Western State Hospital – 515 – Insider-Error
  8. East Central Kansas Area Agency on Aging – 8,750 – ransomware
  9. Family & Cosmetic Dentistry of the Rockies – 1,850 – Insider-Error
  10. Florida Blue  – 939 – reported breach at Real-Time Health Quotes
  11. Hackensack Sleep and Pulmonary Center – 16,474 – Hack
  12. Humana – 5,674 – Insider-Error by Real-Time Health Quotes
  13. IU Health Ball Memorial Hospital  – 1,399 –  Lost (and Found)
  14. Little River Healthcare – Central Texas, LLC d/b/a Little River Waco Ear Nose and Throat  – ? – Ransomware
  15. Lowell General Hospital – 769 – Insider-Wrongdoing
  16. Medical College of Wisconsin – 9,500 – hacking
  17. North Carolina Department of Health and Human Services – 6,000 – Insider-Error
  18. Pulmonary Specialists of Louisville, PSC – ? – Hack
  19. Rocky Mountain Health Care Services – 909 – Theft
  20. Roger Williams Medical Center – 60 – Theft
  21. Shop-Rite Supermarkets, Incorporated – 12,172 – Insider-Error
  22. Stanford University – 200 – Insider-Error
  23. Sutter Valley Medical Foundation d/b/a Sutter Medical Foundation – 1,303 – Theft
  24. Union Labor Life Insurance Company – 665 – Unknown
  25. UAB Viral Hepatitis Clinic – 652 – Loss
  26. UPMC Susquehanna -1200- Hacking
  27. Valley Family Medicine – 8,450 – Insider-Wrongdoing
  28. Wilbraham, Lawler & Buba, P.C. – ? – ransomware

As the year draws to a close, I have started compiling statistics for December and for Protenus’s annual report on breaches involving health data.  If you’re not on their free subscription list already, you may wish to sign up so you will be notified when the reports or webinars are available.

About the author: Dissent