The US Department of Health and Human Services’ Office for Civil Rights (OCR) publishes healthcare data breach statistics relating to data breaches involving more than 500 records. Here, we provide some of the most important insights from these data, and summarize the implications for HIPAA Covered Entities and Business Associates.
In 2010, 199 healthcare data breaches involving more than 500 records were reported to OCR. Just over a decade later, in 2021, this number had more than tripled to 715 cases, signifying that healthcare data is being compromised at an alarming rate. So far in 2022, OCR has been alerted to 472 breaches, which is likely to increase further in the coming months. In total, information for over 4,900 events involving exposed – or potentially exposed – healthcare data has been published by OCR since records began in 2009.
This increase in the rate at which OCR receives reports of healthcare breaches has been mirrored by a growing number of individuals affected by these events. In 2010, just under 6 million people across the country had their data exposed in a breach – an average of 30,000 individuals per breach. In 2021, this figure grew by a factor of eight, with 50 million affected individuals – 15% of the US population at the time. The average breach size also ballooned to 74,000 records compromised in each event. Since 2009, approximately 359 million records have been lost, stolen, or exposed in a healthcare data breach.
We can see that 2015 was an especially bad year for data breaches. 112 million individuals were affected by healthcare breaches, more than double the next highest year. This anomalously bad year was due to four of the ten most significant breaches ever recorded happening in 2015 – Anthem Inc (78.8 million records), Premera Blue Cross (11 million), Excellus Health Plan Inc. (10 million), and University of California Los Angeles Health (4.5 million).
There are four main types of businesses subject to the HIPAA Rules – healthcare providers, health plans, healthcare clearing houses, and Business Associates which provide services to or on behalf of HIPAA Covered Entities.
Since healthcare data breach statistics were first recorded, the vast majority of breaches have involved healthcare providers (3594 cases), including hospitals, dentists, nursing homes, clinics, and other organizations. Business associates, a term which covers a vast array of entities ranging from billing companies to cloud service providers, were linked to 672 breaches. A similar number of breaches involved health plans (633) – a category comprising organizations like health insurance companies and government healthcare programs (such as Medicare). In the past two decades, healthcare clearing houses (which process non-standard healthcare data into a standard format) were only involved in 10 data breaches.
There is a strong correlation between the number of data breaches and a state’s population, and the densest population centers in the country all feature among the states hardest hit by data breaches. California, the most populous state, has suffered 495 breaches of more than 500 records since 2009. Texas, Florida, and New York (the next largest by population) have experienced 407, 295, and 293, respectively. But only 15 data breaches of more than 500 records have been reported to OCR by Covered Entities and Business Associates operating in Wyoming – a state with a population of just under 600,000.
In the past two decades, nearly half of all healthcare data breach statistics relate to hacking or IT-related incidents. A common method used by hackers to gain access to protected health information is phishing. In a phishing attack, some form of electronic communication – typically an email – is sent to a member of the workforce, duping them into visiting a fake website, clicking a malicious link, or downloading an attachment containing malware. Hackers can then steal the employee’s credentials and access private data. This method was used, for example, in the 2015 Anthem breach, in which 78.8 million records were stolen.
A quarter of breaches were due to individuals without proper authorization accessing sensitive healthcare information or these data being disclosed to individuals without proper protocols. These incidents may be due to mistakes made in handling the data. Conversely, an employee with malicious intentions may have accessed data for personal gain. In either case, they constitute severe violations of HIPAA.
Theft of healthcare data was behind a further fifth of healthcare data breach statistics. HIPAA-Covered Entities and Business Associates must have appropriate physical, technical, and administrative safeguards in place to prevent such incidents. However, these methods are not infallible. Related to theft is the loss of data, and this may be due to an unencrypted electronic device holding patient records being misplaced. Although serious incidents, these only represent 5% of all cases.
HIPAA stipulates that when healthcare data is no longer required to be held, it should be disposed of appropriately. For physical data, this could involve activities such as the shredding of paper records. Specialized software may be necessary to dispose of electronic documents. Improper disposal incidents are relatively rare, making up only 2% of all incidents.
Although hacking incidents cause nearly half of all data breaches, this is a relatively new phenomenon. Before 2018, hacking was responsible for a similar number of breaches as unauthorized access incidents (50-100 per year). The increase in number may be due to the sheer volume of successful hacking incidents – cybercriminals have grown increasingly sophisticated, and their phishing emails can be challenging to spot. Alternatively, it may be that covered entities are becoming more adept at discovering data breaches – earlier breaches may have gone unnoticed. Historically, organizations may have gone many months before they realized data had been compromised.
Between 2010 and 2016, theft posed a severe threat to healthcare data, with over 100 breaches a year attributed to theft. Since 2020, this has fallen to below 20. In addition, organizations appear to have taken extra measures to ensure criminals cannot steal their data.
Although hacking incidents only make up just over half of all breaches, even in recent years, the overwhelming majority of individuals affected by data breaches are linked to one of these incidents. Since 2019, hacking incidents have compromised tens of millions of private healthcare records. This is partly due to a small number of huge breaches; for example, in 2015, just three breaches were responsible for over 100 million breached records. However, hacking incidents allow criminals to access a vast amount of information for relatively little effort – thus posing a significant threat to healthcare organizations. Relative to hacking events, even the several million records a year compromised by unauthorized access/disclosure incidents look small. Theft of data, which once affected upwards of 5 million individuals a year, now only accounts for a few hundred thousand breached records. In addition, only a few tens of thousands of individuals have had data compromised in improper disposal and data loss incidents each year.
The most significant breaches on record affected a disproportionately large proportion of individuals. A total of 145 million records were compromised in these breaches out of a total of 360 million since records began. This may be due to the increased prevalence of hacking incidents, as data can be accessed at a much higher volume than usual, among these breaches. Four of the ten breaches occurred in 2015, all of which were hacking incidents – a significant factor in 2015, more than twice as bad as the next highest year (112 million records versus 52 million in 2021). Another interesting feature of these breaches is the frequency at which Business Associates are affected; despite only being associated with 14% of all breaches, they appear in four of the ten largest incidents.
OCR – the agency responsible for enforcing HIPAA – has been fining Covered Entities for non-compliance at an increasing rate since 2010, mirroring the increase in the number of breaches experienced by Covered Entities over time. However, this also reflects stricter enforcement activity carried out by OCR over the years. For example, in 2020, OCR targeted entities failing to allow individuals timely access to their own data – a right guaranteed by the HIPAA Right of Access.
The average size of the settlements and fines enforced by OCR is $11,000, but this has significantly varied by year. For example, in 2018, due to several fines for significant healthcare breaches reaching millions of dollars, the average penalty jumped to $34,000. OCR has collected $129 million in settlements and fines for HIPAA non-compliance. Most cases involved OCR collecting the money via settlements (109 cases); only eight incidents were resolved by OCR collecting a civil monetary penalty.
When looking at the biggest penalties levied by OCR, there is some overlap between these and the largest breaches on record; Anthem Inc, Premera Blue Cross, and Excellus Health Plan appear on both lists.
The challenge in interpreting healthcare data breach statistics is that it is difficult to identify the causes of trends. Are there more reported data breaches because there are more data breaches, or because more data breaches are being reported? Are Covered Entities and Business Associates failing to implement measures to comply with HIPAA or are cybercriminals getting smarter?
With regards to enforcement action, OCR´s priorities frequently change. Enforcement action can be influenced more by the message it sends than the size of a breach or the reasons behind it. This is why enforcement action has recently been taken against small practices that have impermissibly disclosed PHI on social media or denied patients their right of access or right to an accounting of disclosures.
However, a significant takeaway from recent data breach enforcement actions is that civil monetary penalties will likely be increased when there has been a failure to implement “peripheral” HIPAA compliance measures. These are measures such as the failure to conduct a risk analysis or provide security awareness training, that – by themselves – may not be the reason for a data breach, but which could have mitigated the risk of a data breach
Similarly, the failure to enter into an appropriate agreement with a Business Associate, prepare for an effective incident response, or maintain accurate documentation can also contribute to the size of a civil monetary penalty or the term of a Corrective Action Plan following a data breach when these measures might have mitigated the consequences of the data breach.
Consequently, the implications of the healthcare data breach statistics for HIPAA Covered Entities and Business Associates are that it is important to understand and implement all necessary HIPAA standards – not only to minimize the risk of adding to the healthcare data breach statistics, but also to minimize the size of any civil monetary penalty subsequently issued by HHS´ Office for Civil Rights