Veriphyr’s Survey of Patient Privacy Breaches

Veriphyr proactively reports impermissible use of PHI the first time it happens.


Employees are the Leading Source of Breaches 

In 2011, Veriphyr published the results of a survey on Protected Health Information (PHI)  privacy breaches. According to the findings, over 70 percent of the organizations studied had suffered one or more breaches of PHI in 2010.

Eight years later, and still only thirty percent of healthcare providers are insured against privacy breaches, despite breaches costing some organizations millions.

Veriphyr’s research found that insiders were responsible for the majority of breaches. 35 percent of insider breaches involved employees snooping into the records of fellow employees, and 27 percent involved accessing records of friends and relatives.

The report, “Veriphyr’s 2011 Survey of Patient Privacy Breaches,” summarizes the findings of a survey of compliance and privacy officers at mid to large sized hospitals and healthcare service providers.

The survey asks respondents about their perceptions of privacy and compliance initiatives within their organization, adequacy of tools to monitor unauthorized access to PHI, and the number and type of breaches sustained in the past year.


Given that data breaches of patient information cost healthcare organizations nearly $6 billion annually, we were not very surprised to discover that more than 70 percent of the organizations surveyed were victimized,” said Alan Norquist, CEO of Veriphyr, “However, we did not expect the prevalence of insider abuse reported, and that nearly 80 percent of the respondents feel they lack adequate controls to detect PHI breaches in a timely fashion.”


The survey itself can be read here.

Some Key Findings

  • Top breaches in the prior 12 months by type:
    • Snooping into medical records of fellow employees (35%)
    • Snooping into records of friends and relatives (27%)
    • Loss /theft of physical records (25%)
    • Loss/theft of equipment holding PHI (20%)
  • When a breach occurred, it was detected in:
    • One to three days (30%)
    • One week (12%)
    • Two to four weeks (17%)
  • Once a breach was detected, it was resolved in:
    • One to three days (16%)
    • One week (18%)
    • Two to Four weeks (25%)
  • 79% of respondents were “somewhat concerned” or “very concerned” that their existing controls do not enable timely detection of breaches of PHI
  • 52% stated they did not have adequate tools for monitoring inappropriate access to PHI



Editorial Contact:

Marc Gendron
Marc Gendron PR