2015 to 2018: Summary of Data Security Healthcare Breaches

In the last three years there have been 955 major security healthcare breaches that have resulted in the exposure/theft of 135,060,443 healthcare records. Over 41% of the population of the United States have had a portion of their protected health information exposed as a result of those breaches, which have been happening at a rate of almost one daily over the past three years.

There has been a constant increase in reported security beaches in the healthcare sector in the last three years. In 2015 there were 270 data breaches involving more than 500 records registered with the Department of Health and Human Services’ Office for Civil Rights (OCR). The figure increased to 327 security breaches in 2016, and 342 security breaches during 2017.

security healthcare data breaches 2015-18

Additional healthcare security breaches are being seen than at any other time since HIPAA required covered groups to disclose data breaches, although the number of individuals impacted by healthcare data breaches has been dropping year-over year for the past three years.

In 2015, a very bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or illegally taken. Most of those records were exposed in three data breaches. The 78.8 million-record data breach that occurred at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other significant security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million files.

During 2016, 14,679,461 healthcare records were made accessible or stolen, with three incidents involving more than 1 million records: The 3.62 million-record data violation at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach experienced at 21st Century Oncology.

In 2017, the worst year on record for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or obtained. There were two breaches that impacted more than half a million records. The 500,000-record breach encountered at Airway Oxygen, Inc., and also the 697800-record breach at Commonwealth Health Corporation

15 Biggest Healthcare Security Breaches in the Last Three Years

 

Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident

 

Chief Factors Leading to Security Breaches in Healthcare in the Last Three Years

The three main factors leading to security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and stealing physical records and unencrypted electronic devices storing ePHI.

There has been a slow drop in the number of theft/loss incidents over the past three years as healthcare groups have started encrypting records on portable electronic devices. However, inappropriate disposal incidents have risen year over year along with hacking incidents. In 2017, hacking/IT incidents were the main contributing factor towards of healthcare data breaches.

healthcare hacking breaches in 2017

Unauthorized access/disclosures healthcare data breaches 2017

Loss/theft Healthcare Data Breaches in 2017

Increase in Penalties for Healthcare Security Breaches

Along with annual increases in data breaches, financial penalties for HIPAA violations have also been going up, both in terms of number of settlements and civil monetary penalties issued and the size of the penalties.

The HHS’ Office for Civil Rights is now applying HIPAA Rules far more aggressively and multi-million-dollar fines are regularly announced. The last three years have seen 29 HIPAA covered groups and business associates financially penalized for data breaches that have happened due to noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has taken in $49,091,700 in financial penalties from its HIPAA policing actions.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes