The Department of Health and Human Services’ Office for Civil Rights began publishing summaries of healthcare data breaches on October 2009. Small breaches or those with less than 500 breached records are not included in the summaries. But breaches that are still under OCR’s investigation and closed cases are included in the summaries. The statistics show an upward trend in data breaches in the last 9 years. The year 2017 had more reported data breaches than any other year since the publishing of summaries started.
The main causes of breaches have also changed over the years. From 2009 to 2015, loss or theft of healthcare records and ePHI was the main cause of reported breaches. This type of breaches are easily preventable. The implementation of better policies and procedures as well as encryption helped reduce these breaches. So, now the main causes of healthcare data breaches are hacking/IT incidents and unauthorized access/disclosure.
The total number of reported healthcare data breaches with over 500 records from 2009 to 2017 is 2,181. About 176,709,305 healthcare records were stolen or exposed during this time period. Currently, more than one healthcare data breach is being reported per day. Though the number of exposed records increased each year, the year 2017 had a big improvement. It still recorded the most number of incidents – 359 – but the breaches were smaller.
Healthcare organizations are doing a better job at detecting incidents of breaches. It shows in the statistics now that hacking is the leading cause of data breaches. It’s very likely that the low number of hacking/IT incidents in previous years was due to the failure to detect this type of breaches. Take note that many of the reported hacking incidents in recent years actually happened months or even years before they were detected. Healthcare organizations also improved in their ability to detect internal breaches as unauthorized access/disclosure incidents come second on the list of causes of data breaches.
The statistics also show the improvement in protecting physical and digital healthcare records from loss/theft using technical controls like encryption. However, there are still some incidents of stolen laptops and other electronic devices that are left unsecured in vehicles or public places.
There has been a steady increase in the enforcement of HIPAA rules over the past 9 years. The number of settlements and HIPAA violation fines issued by OCR increased. Not only that, the settlement and fine amounts also increased. The norm nowadays is multi-million dollar fines and settlement fees. State attorneys general also issue fines on HIPAA violations. Typically, the amount ranges from $100 to $25,000 per violation per year. But only a few U.S states issued this type of fines.