Since October 2009, the Department of Health and Human Services’ office for civil Rights (OCR) has been posting summaries of U.S. healthcare data breaches on its website. 2,545 healthcare data breaches had been reported up to the end of 2018 which have resulted in 194,853,404 healthcare records being stolen, impermissibly disclosed, or exposed. The healthcare records of 59.8% of people in the United States have been breached in that time.
Every year excluding 2015, the number of reported healthcare data breaches has increased. In 2018, there were 365 healthcare data breaches reported, an increase of about 2% from 2017 when 358 data breaches were reported. 2018’s breach total is 83% higher than 2010.
2018 also saw 157.67% more healthcare records exposed than in 2017. In 2018, the records of 13,236,569 individuals were breached.
Largest 2018 Healthcare Data Breaches
- AccuDoc Solutions, Inc. – 2,652,537 individuals affected
- Iowa Health System d/b/a UnityPoint Health – 1,421,107 individuals affected
- Employees Retirement System of Texas – 1,248,263 individuals affected
- CA Department of Developmental Services – 582,174 individuals affected
- MSK Group – 566,236 individuals affected
- CNO Financial Group, Inc. – 566,217 individuals affected
- LifeBridge Health, Inc – 538,127 individuals affected
- Health Management Concepts, Inc. – 502,416 individuals affected
- AU Medical Center, INC – 417,000 individuals affected
- SSM Health St. Mary’s Hospital in Jefferson City – 301,000 individuals affected
Causes of Healthcare Data Breaches in 2018
82.47% of all reported healthcare data breaches in 2018 were due to hacking, IT incidents, or unauthorized access/disclosure incidents. Hacking/IT incidents accounted for 43.29% of breaches and unauthorized access/disclosures accounted for 39.18% of incidents. 11.5% of all reported breaches, 42 cases, were theft incidents, 3.56%, 13 cases, were lost PHI/ePHI incidents and 2.47%, 9 cases, were improper disposal incidents.
Hacking/IT incidents increased by 5.33% year over year. There were 158 cases in 2018 compared to 150 in 2017. Although there was only a small increase in hacking/IT-related breaches, 161.89% more healthcare records were exposed in that category of breach than in 2017. Unauthorized access/disclosure incidents increased by 14.4% compared to 2017 and there were 146.49% more healthcare records exposed in that category compared to the preceding year.
2018 saw a decline in theft, loss, and improper disposal breaches. Loss incidents declined by 18.75% from 16 in 2017 to 13 in 2018. Improper disposal incidents declined by 18.18% from 11 in 2017 to 9 in 2018; and theft incidents declined by 25% from 56 in 2017 to 42 in 2018. Although the number of theft and improper disposal cases declined, more records were exposed in those breaches than the previous year. The severity of loss incidents declined by 6.33%, from an average of 2,461 records in 2017 to 2,305 in 2018.
Location of Breached PHI
Email was involved in 33.42% of all 2018 healthcare data breaches. Email breaches include phishing attacks, misdirected emails and unauthorized email access. This shows how important it is to increase email security and give more training to healthcare personnel.
Although healthcare providers may focus on protecting against cyberattacks and enhancing technical defenses, they still need to take care of physical records. 81 breaches in 2018 involved physical PHI like documents, charts and films, which accounted for 22.19% of breaches.
Network servers are the next most frequent location of breached PHI. Incidents like ransomware attacks, hacks and malware-related data breaches make up 20.27% of all 2018 breaches.
Healthcare Data Breaches in 2018 by Covered Entity Type
Healthcare providers reported 74.79% of breaches in 2018; health plans reported 14.52% and business associates of HIPAA-covered entities were involved in 10.68% of cases. Business associate data breaches accounted for 42% of breached records.
States Affected Healthcare Data Breaches in 2018
California and Texas were the worst impacted by data breaches. Just four states did not report any healthcare data breaches in 2018 – Vermont, South Dakota, South Carolina and New Hampshire. The number of breaches reported by each state are as follows:
- California – 38
- Texas – 32
- Illinois – 19
- Florida – 18
- Massachusetts – 18
- New York – 16
- Missouri – 14
- Pennsylvania – 11
- Iowa, Michigan, Minnesota, Wisconsin – 10
- Maryland, Ohio, Oregon – 9
- Arizona, North Carolina, Virginia – 8
- Georgia, New Jersey, Tennessee, Washington – 7
- Colorado, Kansas, Nevada – 6
- Arkansas, Indiana, Nebraska, New Mexico, Utah – 5
- Connecticut, Kentucky – 4
- Alaska, Louisiana, Mississippi, Montana, Rhone Island – 2
- Alabama, District of Columbia, Oklahoma, Wyoming – 1
- Hawaii, Idaho, Maine, North Dakota, West Virginia – 0
- New Hampshire, South Carolina, South Dakota, Vermont – 0
HIPAA Fines and Settlements in 2018
OCR and state attorneys general have the authority to issue financial penalties for HIPAA violations and data breaches. OCR issued a total of 10 financial penalties totaling $25,683,400 in 2018 to resolve HIPAA violations. While there were more fines and settlements in 2016, the total fine amount for the year was higher than in any previous year. In 2018, state attorneys general issued 12 financial penalties to resolve HIPAA violations.