2015 Healthcare Data Breaches Pass 100-Incident Milestone

HIPAA data breach reports passed the 100 incident milestone in May, with the current total of healthcare data breaches for the year standing at 110.

Under HIPAA Rules, all Covered Entities (CEs) are required to report data breaches involving more than 500 individuals to the Department of Health and Human Services’ Office for Civil Rights (OCR), issue a media notice and send breach notification letters to all affected individuals. The Breach Notification Rule places a time limit of 60 days to do this, although the reporting should not be unnecessarily delayed.

The OCR lists data breach summaries on its website which gives an indication of the state of play of healthcare cybersecurity, compliance and how well CEs risk mitigation strategies have performed.

The month’s breach reports have been summarized in the infographic below. Data is also shown for the year to date, and the corresponding period in 2014.




Over 100 Healthcare Data Breaches Recorded in the First 5 Months of 2015


The healthcare industry is under attack from hackers; healthcare workers are taking data and giving it to new employers; laptops are being left in vehicles and healthcare providers are disclosing PHI. However, compared to this time last year, a number of improvements appear to have been made to improve privacy and security standards as the number of data breaches reported so far this year has fallen substantially.

Between January and the end of May last year, 131 data breaches had been reported. This month’s figures represent a fall of 16% year on year.

The fall suggests that healthcare providers, health plans and their Business Associates are getting to grips with HIPAA Rules and are improving data security protections. This is clearly evident with Business Associates, who have only caused two data breaches this year. At this point in 2014 they were responsible for 44 data breaches.

While the number of incidents has fallen, the victim count has unfortunately risen. Fewer breaches have occurred, but the number of records exposed in those breaches has increased substantially.

The figures for the first third of 2014 show that were it not for the data breaches at Premera Health and Anthem, the number of victims from data breaches differed little year on year. With those data breach figures included of course, the data tells a completely different story. Over 90,000,000 more records have been exposed so far in 2015 than in 2014.

New Breach Reports Added to the Office for Civil Rights’ Breach Portal in May


Towards the end of May there were a number of new breach reports uploaded to the OCR’s ‘Wall of Shame’. These included the Medical Management data breach, exposing 20,512 records, making it the second largest data breach reported in May. The incident affected as many as 40 healthcare providers.

The CareFirst BCBS data breach, the largest to be reported since February’s announcement from Premera Health, has also been added confirming 1,100,000 records were exposed. The MetroHealth System data breach and Associated Dentists, which exposed 981 and 4,725 records respectively, have also been reported to the OCR.

The figures for the month – CareFirst aside – look positively healthy compared to last month when 34 data breaches were reported. This month there have been 13 reported breaches, a fall of 61% month on month.

Marked Differences to April Breach Report Figures


Along with the low volume of data breaches, the volume of records exposed also fell. Last month there were 18 data breaches reported in which more than 1,000 records were exposed, while this month there have only been 11.

In April, unauthorized disclosures caused the most breaches, with 11 hacking incidents also reported. In May only three hacking incidents were discovered although one of those did result in over a million records being exposed. The biggest cause of data breaches for the month of May was theft of equipment containing PHI.

Don’t Forget to Safeguard Paper Medical Records

In the digital age when there is a high risk of hackers breaking through defenses and employees copying data onto memory sticks, it is all too easy to forget paper records. They too must be securely stored and access controlled, as HIPAA Rules apply to all forms of PHI.

While EHRs, email, network servers, desktop computers and portable devices account for the majority of data breaches, year to date figures show it is paper records that have been involved in the highest number of incidents. 32 data breaches have been reported so far this year involving paper and/or films. Network server incidents closely follow in second place with 26 incidents.

The breach reports made so far this year show that healthcare professionals are being more careful with portable devices and laptops. Between January and May of last year, 44 data breaches were reported involving stolen laptops and portable devices. During the same period this year the figure is less than half, with just 21 incidents reported so far.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.