Dedicated to providing the latest
HIPAA compliance news

Largest Healthcare Data Breaches of 2016

Share this article on:

2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records


Year Number of Breaches (500+) Number of Records Exposed
2016 329 16,471,765
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1801 171,054,419


Largest Healthcare Data Breaches of 2016

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.


Year Breaches of More Than 500 Records
500 to 1000 1,000 to 10,000 10,000 to 100,000 100,001+
2016 89 158 67 14
2015 76 142 37 12

*No total submitted for one healthcare data breach in 2016


Aside from one major breach at a business associate and a health plan, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest healthcare data breach of 2016  experienced by a health plan was the 381,504-record breach reported by Community Health Plan of Washington in December.

Largest Healthcare Data Breaches of 2016


Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,620,000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Community Health Plan of Washington Health Plan Hacking/IT Incident 381,504
11 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
12 Premier Healthcare, LLC Healthcare Provider Theft 205,748
13 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
14 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528


Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. Insiders may not have caused the largest healthcare data breaches of 2016, although these breaches can cause the most harm to patients. The data stolen in these incidents is commonly used for identity theft and fraud, and usually relatively soon after data have been stolen. Hackers often wait for a year or two before data are used.

As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all of those data breaches and the exposure of almost 1,500,000 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 130 102
Hacking/IT Incident 113 57
Theft 62 81
Loss 16 23
Improper Disposal 7 6

*One cause of breach in 2016 was not reported

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.


Breached Entity 2016 2015
Healthcare Provider 257 196
Health Plan 52 62
Business Associate 20 19


Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated February 7, 2017

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On