December 2017 Report on Healthcare Data Breaches


The healthcare data breaches in December 2017 significantly increased by 81% from the previous month.  Thirty-eight healthcare data breaches that impacted over 500 persons were reported. The number of exposed patient records in December also increased by 219% from the previous month. There were 341,621 records of patients that were exposed or stolen.

The pattern of breaches in December was similar to the past months. Healthcare providers had the most data breaches. But health plans had a notable increase in breaches from 2 in November to 6 in December.

The causes of healthcare data breaches are just the same with last month. The most common causes of data breaches in December were hacking/IT incidents and unauthorized access/disclosures. There were 12 incidents involving network server incidents and 9 incidents involving paper records. This information shows the importance of having the appropriate technological defenses and physical security to protect both electronic data and paper records.

Stolen or lost portable devices and paper records notably increased as well. The protected health information of 122,921 patients was exposed because of stolen devices with PHI and paper records. The mean number of exposed records due to theft was 20,487 while the median was 15,857.

Unlike the previous months when hacking incidents occupy the top ten breach list, this December hacking incidents, thefts of electronic devices/healthcare records and unauthorized access/disclosures had equal occurrences. 

In December, nine of the data breaches reported to the Office for Civil Rights impacted over 10,000 persons. The largest data breach was reported to Oklahoma Department of Human Services. But this incident occurred in April 2016. The covered entity did not submit the breach report to the Office for Civil Rights promptly. Submission was 18 months delayed after the 60-day deadline for breach reports.

The state with the most healthcare data breaches reported in December was California with 5 incidents. The next state is Michigan with 4 incidents. Florida, Minnesota, Illinois, New England, New York, Nevada, Philadelphia and Texas each had two data breaches each. Colorado, Iowa, Georgia, Indiana, Missouri, Massachusetts, New Jersey, North Carolina, Oklahoma, Ohio, Oregon, West Virginia and Tennessee each had one breach report.