HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2016 Healthcare Data Breach Report Ranks Breaches By State

A new 2016 healthcare data breach report has been released detailing incidents reported to the Department of Health and Human Services’ Office for Civil Rights. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016.

Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers.

The top ten states for healthcare data breaches were found to be:

  1. California – 39 breaches
  2. Florida – 28 breaches
  3. Texas – 23 breaches
  4. New York – 15 breaches
  5. Illinois, Indiana, & Washington – 12 breaches
  6. Ohio & Pennsylvania – 11 breaches
  7. Michigan – 10 breaches
  8. Arizona & Arkansas – 9 breaches
  9. Georgia & Minnesota – 8 breaches
  10. Colorado & Missouri – 7 breaches

The states least affected by healthcare data breaches in 2016 were:

Please see the HIPAA Journal Privacy Policy

  1. Idaho
  2. Maine
  3. North Dakota
  4. South Dakota
  5. Vermont
  6. West Virginia

HIPAA-covered entities based in each of those states survived 2016 without experiencing a data breach that impacted more than 500 individuals. Only one HIPAA breach impacting more than 500 individuals was reported last year by a HIPAA-covered entity based in Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

The five worst hit states in terms of the numbers of records exposed were as follows:

  1. Arizona – 4,524,278 records
  2. New York – 3,588,554 records
  3. Florida – 2,872,912 records
  4. California – 1,436,701 records
  5. Georgia – 782,956 records

The main causes of healthcare data breaches in 2016 were unauthorized access/disclosure, which accounted for 41.5% of breaches, followed by hacking/IT incidents (31.8%), theft (19%), loss (5.4%) and improper disposal (2.3%).

Theft of physical PHI and devices used to store electronic protected health information was significantly lower than in 2015 when theft accounted for 30% of reported data breaches. In 2015, unauthorized access/disclosure was cited as the cause of 38% of breaches, hacking/IT incidents accounted for 21.4% of breaches, loss of PHI and devices used to store ePHI was the cause of 8.3% of breaches, and improper disposal was the cause of 2.3% of breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.