In the last three years there have been 955 major security healthcare breaches that have resulted in the exposure/theft of 135,060,443 healthcare records. Over 41% of the population of the United States have had a portion of their protected health information exposed as a result of those breaches, which have been happening at a rate of almost one daily over the past three years.
There has been a constant increase in reported security beaches in the healthcare sector in the last three years. In 2015 there were 270 data breaches involving more than 500 records registered with the Department of Health and Human Services’ Office for Civil Rights (OCR). The figure increased to 327 security breaches in 2016, and 342 security breaches during 2017.
Additional healthcare security breaches are being seen than at any other time since HIPAA required covered groups to disclose data breaches, although the number of individuals impacted by healthcare data breaches has been dropping year-over year for the past three years.
In 2015, a very bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or illegally taken. Most of those records were exposed in three data breaches. The 78.8 million-record data breach that occurred at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.
Other significant security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million files.
During 2016, 14,679,461 healthcare records were made accessible or stolen, with three incidents involving more than 1 million records: The 3.62 million-record data violation at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach experienced at 21st Century Oncology.
In 2017, the worst year on record for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or obtained. There were two breaches that impacted more than half a million records. The 500,000-record breach encountered at Airway Oxygen, Inc., and also the 697800-record breach at Commonwealth Health Corporation
15 Biggest Healthcare Security Breaches in the Last Three Years
|Rank||Year||Covered Entity||Entity Type||Records Exposed/Stolen||Breach Cause|
|1||2015||Anthem, Inc. Affiliated Covered Entity||Health Plan||78800000||Hacking/IT Incident|
|2||2015||Premera Blue Cross||Health Plan||11000000||Hacking/IT Incident|
|3||2015||Excellus Health Plan, Inc.||Health Plan||10000000||Hacking/IT Incident|
|4||2015||University of California, Los Angeles Health||Healthcare Provider||4500000||Hacking/IT Incident|
|5||2015||Medical Informatics Engineering||Business Associate||3900000||Hacking/IT Incident|
|6||2016||Banner Health||Healthcare Provider||3620000||Hacking/IT Incident|
|7||2016||Newkirk Products, Inc.||Business Associate||3466120||Hacking/IT Incident|
|8||2016||21st Century Oncology||Healthcare Provider||2213597||Hacking/IT Incident|
|9||2015||CareFirst BlueCross BlueShield||Health Plan||1100000||Hacking/IT Incident|
|10||2016||Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants||Healthcare Provider||882590||Hacking/IT Incident|
|11||2016||County of Los Angeles Departments of Health and Mental Health||Healthcare Provider||749017||Hacking/IT Incident|
|12||2017||Commonwealth Health Corporation||Healthcare Provider||697800||Theft|
|13||2015||Virginia Department of Medical Assistance Services (VA-DMAS)||Health Plan||697586||Hacking/IT Incident|
|14||2016||Bon Secours Health System Incorporated||Healthcare Provider||651971||Unauthorized Access/Disclosure|
|15||2015||Georgia Department of Community Health||Health Plan||557779||Hacking/IT Incident|
Chief Factors Leading to Security Breaches in Healthcare in the Last Three Years
The three main factors leading to security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and stealing physical records and unencrypted electronic devices storing ePHI.
There has been a slow drop in the number of theft/loss incidents over the past three years as healthcare groups have started encrypting records on portable electronic devices. However, inappropriate disposal incidents have risen year over year along with hacking incidents. In 2017, hacking/IT incidents were the main contributing factor towards of healthcare data breaches.
Increase in Penalties for Healthcare Security Breaches
Along with annual increases in data breaches, financial penalties for HIPAA violations have also been going up, both in terms of number of settlements and civil monetary penalties issued and the size of the penalties.
The HHS’ Office for Civil Rights is now applying HIPAA Rules far more aggressively and multi-million-dollar fines are regularly announced. The last three years have seen 29 HIPAA covered groups and business associates financially penalized for data breaches that have happened due to noncompliance with HIPAA Rules.
In the last three years, the HHS’ Office for Civil Rights has taken in $49,091,700 in financial penalties from its HIPAA policing actions.