2015 Biannual Healthcare Data Breach Report Released

The healthcare industry had a particularly torrid time last month with 18 data breaches reported to the OCR, exposing 1,455,863 records, the bulk of which came from the CareFirst data breach. This month the number of data breaches reported has increased to 21, although the number of new victims created was much lower, with 159,231 individuals affected.

An analysis of the data breach reports for the past three years shows that little has changed since 2014, “the year of the data breach,” at least not for the better. Fewer data breaches have been reported in 2015 than in 2014, 122 compared to 131, up until the end of June. However, measure the year in the number of victims created and 2015 is on an entirely different scale.

89,439,761 new data breach victims have been created so far this year, compared to 12,503,190 last year and 851,433 in 2013. Many of this year’s victims are now data breach veterans having had their data exposed by their insurer and their healthcare provider.

Biannual Data Breach Report

2014 saw a big rise in the number of reported data breaches, and this year didn’t start too well. Two massive breaches at Anthem and Premera exposed tens of millions of records. The vast majority of breach victims from the last 6 months came from the Anthem breach. Hackers were able to steal 78.8 million records, while another 11 million were exposed in the Premera data breach. As a result, over seven times as many records have been exposed in the first half of 2015 than the first half of 2014.

Little appears to be changing for the better, in spite of increased protections put in place by healthcare providers and health insurers. With hackers increasingly targeting holders of PHI, many HIPAA-covered entities still not encrypting data on portable devices and malware-as-a-service now being offered online, the last half of the year is not expected to finish well.

A Bright End to a Dreadful 6 Months for Data Breaches

One health insurer has decided to take action and address the risk of identity theft. The Blue Cross Blue Shield Association has announced it will offer Identity Theft Protection services to all of its members next year, without charge. All 106 million of them. The act may not decrease the number of breaches suffered, but at least one in three Americans will be better protected next year.

Business Associates of healthcare providers and insurers should also be commended. In 2013, the Omnibus Rule introduced a number of changes and BAs struggled to adapt to life under HIPAA. Unsurprisingly, many violated the new regulations and caused or suffered data breaches. In 2013, 31 Business Associates suffered breaches of Protected Health Information (PHI), in 2014 the number had increased to 44. This year there have only been 5 Business Associate data breaches reported to date.

An analysis of 2013, 2014 and 2015 data breach reports has been summarized in the infographic below. Data was collected from the Department of Health and Human Services’ Office for Civil Rights breach portal.



Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.