Statistics on Healthcare Data Breaches

We have put together healthcare data violation statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started releasing summaries of healthcare data breaches on its web portal.

The healthcare data breach figures below only include data breaches of 500 or more records as more minor breaches are not released by OCR. The breaches include closed cases and breaches still being reviewed by OCR.

Our healthcare data breach statistics clearly portray there has been an upward trend in data breaches over the last 9 years, with 2018 seeing more data breaches reported than any other year since records first started being released.

There have also been major changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports from 2009-2015, although better policies and processes and the use of encryption has helped minimize these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also widely experienced.

From 2009 and 2018 there have been 2,546 healthcare data breaches involving over 500 records. Those breaches have lead to the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the overall population of the United States. Healthcare data breaches are now being submitting to the OCR at a rate of more than one per day.

healthcare data breaches 2009 to 2018

There has been a general increase in the number of records exposed each year, with a massive rise in 2015. 2015 was the worst year in history for breached healthcare records with more than 113.27 million records impacted. 2012 was the best year with just 2,808,042 healthcare records exposed. The situation has improved since 2015 with consecutive falls in the number of exposed records. Although that trend did not go on in 2018. The number of exposed records grew twofold year over year, from 5,138,179 records in 2017 to 13,236,569 records in 2018.

Records exposed in healthcare data breaches 2009 to 2018

average healthcare data breach size 2009 to 2018

median data breach size 2009 to 2018

Our healthcare data breach statistics show hacking is now the main cause of healthcare data breaches, although it should be noted that healthcare grows are now much better at detecting hacking incidents. The low hacking/IT incidents in the earlier years could be in part due to the failure to identify hacking incidents and malware infections quickly. Many of the hacking incidents between 2014-2018 happened many months, and in come cases years, before they were noticed.

healthcare hacking incidents 2009-2018

records exposed in healthcare hacking incidents 2009-2018

As with hacking, healthcare groups are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the leading cause of breaches, unauthorized access/disclosure incidents follow closely.

unauthorized access/disclosure data breaches 2009-2018

records exposed in unauthorized access/disclosure breaches

Our healthcare data breach statistics show HIPAA covered groups and business associates have got significantly better at safeguarding healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the anyone. Many of these theft/loss incidents involve paper records, which can equally lead to the exposure of large amounts of patient information.

theft and loss incidents - healthcare

records exposed in theft/loss incidents

healthcare improper disposal data breaches

records exposed in healthcare improper disposal incidents

CR Settlements and Fines for HIPAA Breaches

The penalties for HIPAA breaches can be massive. Multi-million-dollar fines possible when breaches have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to happen.

The penalty levels for HIPAA violations is detailed in the infographic here:


About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.