The last three years have seen 955 major healthcare security breaches that resulted in the exposure and/or theft of 135,060,443 healthcare data records. Over 41% of the U.S. population has had some of their protected health information (PHI) compromised as a result of those breaches, which occurred at a speed of roughly one breach a day for the past three years.
The number of reported healthcare security breaches has been rising year over year. There were 270 data breaches of over 500 records submitted to the Department of Health and Human Services’ Office for Civil Rights in 2015. The number increased to 327 in 2016 and 342 in 2017.
2015 was a very bad year for healthcare industry data breaches as 112,107,579 healthcare records were exposed or stolen. Most of those records were stolen in three incidents: Anthem Inc’s 78.8 million-record data breach, Premera Blue Cross’ 11 million-record breach, and Excellus Health Plan’s 10 million-record breach.
Other significant security breaches that occurred in 2015 include the University of California Los Angeles Health’s 4.5 million-records breach and Medical Informatics Engineering’s 3.9 million-record breach.
2016 saw 14,679,461 exposed or stolen healthcare records. There were three incidents that involved the exposure of over 1 million records: Banner Health’s 3.62 million-record breach, Newkirk Products Inc’s 3.46 million-record breach and 21st Century Oncology’s 2.21 million-record breach.
2017 was the worst year in terms of the number of healthcare security breaches reported. A total of 3,286,498 healthcare records were exposed or stolen in 342 breaches. Two breaches had over half a million records exposed: Airway Oxygen, Inc’s 500,000-record breach and Commonwealth Health Corporation’s 697,800-record breach.
15 Largest Security Breaches in Healthcare in the Last Three Years
1. Anthem, Inc. Affiliated Covered Entity (2015) – 78,800,000 records exposed or stolen – Hacking/IT Incident
2. Premera Blue Cross (2015) – 11,000,000 records exposed or stolen – Hacking/IT Incident
3. Excellus Health Plan, Inc. (2015) – 10,000,000 records exposed or stolen – Hacking/IT Incident
4. University of California, Los Angeles Health (2015) – 4,500,000 records exposed or stolen – Hacking/IT Incident
5. Medical Informatics Engineering (2015) – 3,900,000 records exposed or stolen – Hacking/IT Incident
6. Banner Health (2016) – 3,620,000 records exposed or stolen – Hacking/IT Incident
7. Newkirk Products, Inc. (2016) – 3,466,120 records exposed or stolen – Hacking/IT Incident
8. 21st Century Oncology (2016) – 2,213,597 records exposed or stolen – Hacking/IT Incident
9. CareFirst BlueCross BlueShield (2015) – 1,100,000 records exposed or stolen – Hacking/IT Incident
10. Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants (2016) – 882,590 records exposed or stolen – Hacking/IT Incident
11. County of Los Angeles Departments of Health and Mental Health (2016) – 749,017 records exposed or stolen – Hacking/IT Incident
12. Commonwealth Health Corporation – 2017 – 697,800 records exposed or stolen – Theft
13. Virginia Department of Medical Assistance Services (VA-DMAS) – 2015 – 697,586 records exposed or stolen – Hacking/IT Incident
14. Bon Secours Health System Incorporated – 2016 – 651,971 records exposed or stolen – Unauthorized Access/Disclosure
15. Georgia Department of Community Health – 2015 – 557,779 records exposed or stolen – Hacking/IT Incident
Major Causes of Healthcare Security Breaches from 2015 to 2017
The three major causes of healthcare security breaches in the past three years were
- Hacking/IT incidents
- Unauthorized access or disclosure
- Theft/loss of physical records and unencrypted portable electronic devices containing ePHI
The number of theft/loss incidents has fallen considerably over the past three years as healthcare providers have started encrypting data on portable electronic devices. Nevertheless, incorrect disposal incidents and hacking incidents went up year over year. Hacking/IT incidents became the major cause of healthcare data breaches in 2017 taking the place of unauthorized access/disclosure incidents.
Financial Penalties for Healthcare Security Breaches from 2015 to 2017
Besides the increase in data breaches every year, there has been an increase in financial penalties for HIPAA violations, in terms of the number of settlements/civil monetary penalties and the amounts of the penalties.
The HHS’ Office for Civil Rights has become more aggressive in enforcing HIPAA Rules, which has resulted in many multi-million-dollar fines for HIPAA-violations. In the past three years, 29 HIPAA covered entities and business associates have been issued penalties for data breaches that resulted from noncompliance with HIPAA Rules.
The HHS’ Office for Civil Rights has collected $49,091,700 in fines between 2015 and 2017. The average penalty amount was $1.94 million in 2017.