25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Major 2016 Healthcare Data Breaches: Mid Year Summary

Posted By on Jul 11, 2016

Cyberattacks on healthcare organizations are now a fact of life. As long as it remains profitable for hackers to conduct attacks on healthcare organizations, the cyberattacks will continue. Given the volume of healthcare data breaches now being reported, it is clear that the healthcare industry must do more to strengthen defenses against cyberattacks and insider threats. To do that, healthcare organizations need to look beyond HIPAA compliance.

Healthcare organizations had a torrid time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being published by the Office for Civil Rights. Some of the cyberattacks on healthcare providers and health insurers resulted in staggering amounts of data being stolen.

Major 2016 Healthcare Data Breaches

Until the last week in June it looked like the healthcare industry had avoided mega data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first half of the year came to an end, a hacker offered a 9.3-million record database for sale on a Darknet marketplace.

Other large-scale data breaches in 2016 include the cyberattack on 21st Century Oncology – A Fort Myers, Florida-based provider of cancer treatment. That attack potentially resulted in the accessing and theft of 2,213,597 patients’ records.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In February, 2016, Florida-based Radiology Regional Center, PA., reported a breach of 483,063 patients’ PHI. The breach did not involve a hacker in this instance, instead the data exposure occurred when patient files fell from a vehicle that was transporting the files to be incinerated.

In May, California Correctional Health Care Services announced the potential exposure of 400,000 health records when an unencrypted laptop computer was stolen. A stolen laptop containing ePHI was also reported by Premier Healthcare, LLC., in April. The device theft resulted in the exposure of 205,748 patient records.

Community Mercy Health Partners also reported a breach of more than 100,000 patient records. Files containing the protected health information of 113,528 patients were discovered in a recycling bin in Springfield, Ohio.

Healthcare records were also potentially obtained as a result of a malware infection at EMR management company Bizmatics. It is not yet clear exactly how many patients were affected by that breach, although current figures indicate more than 265,000 individuals have been impacted.

In total, 142 healthcare data breaches involving more than 500 records have been reported to the Department of Health and Human Services’ Office for Civil Rights so far in 2016. During the same period in 2015, 143 data breaches were reported.

While not all data breaches may yet have made it onto the OCR breach portal, the current breach reports show how healthcare records are being exposed.

  • 48 data breaches were reported as unauthorized access
  • 43 data breaches were attributed to hacking or network server incidents
  • 37 breaches were caused by the loss or theft of devices used to store ePHI or the loss/theft of physical records
  • 4 breaches were due to the improper disposal of records

In terms of the records that were stolen or exposed:

  • 60% were due to hacking (2,703,961 records)
  • 78% were due to loss/theft (1,342,125 records)
  • 6% were the result of unauthorized access or disclosure (342,748 records)
  • 63% were the result of improper disposal (118,594 records)

More Than 11 Million Healthcare Records Exposed in June 2016

Figures from the Department of Health and Human Services’ Office for Civil Rights show 95,251 healthcare records were exposed or stolen in June 2016; however, there have been additional large scale data breaches that have yet to appear on the OCR breach portal.

The series of hacks by TheDarkOverlord have yet to be added to the OCR breach portal. Add in the healthcare records that were stolen in those attacks, and others that have yet to make it onto the breach portal and the total number of records exposed in June rises to 11,061,649, according to figures published in a recent Protenus report. The June figures are more than five times as high as the total number of healthcare records that were exposed in the first five months of the year. Between January and May, 2016., 2,136,810 healthcare records were exposed.

The Protenus report indicates 41.4% of breaches in June were the result of hacking and the same percentage were caused by insider theft and errors. The theft or loss of paper copies of patients PHI or devices containing ePHI accounted for 17.2% of breaches in June.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist