Protenus recently released both their mid-year and September snapshots regarding healthcare breaches. The reports show that insider threats and extortion attempts in the industry are on course to meet or exceed 2016 levels.

Insider Threats in Healthcare Remain Constant

Protenus, in collaboration with, compiled the Breach Barometer Report: Mid-Year Review based on breach incidents reported to the U.S. Department of Health and Human Services (HHS), the media, or state attorneys general. Here are some key findings:

  • 41% of the health data breaches so far in 2017 (96 incidents) were from insiders and affected over 1M patient records. The number of breach incidents and affected patient records is on course to meet or exceed the findings for 2016.
  • The majority of the insider incidents disclosed this year were a result of an insider error or accident; fewer incidents were a result of wrongdoing.
  • While there were substantially more breach incidents that involved insider-error, it was insider-wrongdoing that affected considerably more patient records (423,009 vs. 743,665).
  • Insiders with malicious intent can cause significant damage because their inappropriate access isn’t immediately detected because they have legitimate access to the electronic health record (EHR).

Insiders Behind More Incidents than Hackers

Insiders are responsible for more breaches – and these incidents typically go undetected for a longer period of time than other breach types.

  • Hacking – including ransomware incidents – was responsible for 53% of breached patient records.
  • So far in 2017, 75 separate breach incidents were the result of hacking and these affected over 1.5M patient records. Ransomware or malware was specifically mentioned as involved in 29 of the hacking incidents,
  • While hacking has accounted for the majority of patient records breached, insiders are responsible for 28% more breach incidents than hackers (75 vs. 96 incidents, respectively). The media generally gives more attention to hacking incidents (32% of total incidents), as they create a large splash when breaching a large amount of patient records in one incident. Insider incidents, however, can often go longer, even years, without detection, creating much more devastation.

Breach Incidents – and Extortion – Take Uptick in September

The Protenus Breach Barometer report for September extends reporting data for the year – and shows a rise over prior months. Here are some key findings:

  • Of the reported breach incidents in September, it took an average of 387 days for healthcare organizations to discover a breach had occurred.
  • There were 46 incidents in September, compared to 33 in August, 36 in July and 52 in June.
  • Extortion is on the rise across all sectors, with the healthcare sector and education sector as prime targets for extortionists due to the sensitivity of the data and lack of security.
  • A string of insider breaches first reported in September have taken at least a year to discover, and in some cases several years lapsed before discovery. “It’s paramount for healthcare organizations to become more proactive and efficient at detecting these insider breaches, as the organization’s reputation and patient livelihoods are at stake,” the report authors wrote.
  • Insiders were responsible for 33 percent of September’s breach incidents, and insider-wrongdoing affects almost three times as many patient records as insider-error.
  • The report noted one incident involving paper records,  an example of malicious insider-wrongdoing. A hospital employee stole a laptop and paper records, and then used that patient information to open credit cards in the patients’ names.
  • The reported incidents in September took an average of 387 days (median = 38 days) for healthcare organizations to discover. The report noted that the longevity of this type of breach reinforces the need to have technology in place that can proactively detect a health data breach.

When it comes to the insider threat within healthcare, this data highlights the importance of two tactics: training and ongoing security education to combat the negligent insider and threat detection monitoring to combat the malicious insider.