2017 Shaping Up to Be Another Record-Breaking Year for Healthcare Data Breaches

2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009.

In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen.

2017 looks set to be another record breaking year for healthcare data breaches. Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures.

By the end of Q1, 2016, 64 breaches of more than 500 records had been reported to OCR and 3,529,759 had been exposed or stolen.

Between January 1, 2017 and March 31, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records.

While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of reported breaches has increased by more than 23%.

Hacking incidents have increased by 26%, unauthorized access and disclosures have risen by 28%, and theft incidents have increased by 30%. Incidents involving improper disposal of PHI have remained the same and there has been little change in the number of reported loss incidents.

April has also started poorly, with Ashland Women’s Health having discovered a hacking incident that has resulted in the exposure of 19,727 patient health records.

While hacking incidents have risen year on year, the biggest threat comes from within. Protenus reports that in January, 59.2% of healthcare data breaches were caused by insiders, with February’s healthcare data breach report indicating insiders were responsible for 58% of breaches.

Largest Healthcare Data Breaches in Q1, 2017


Organization Covered Entity Type Type of Breach Individuals Affected
Commonwealth Health Corporation Healthcare Provider Theft 697,800
Urology Austin, PLLC Healthcare Provider Hacking/IT Incident 279,663
VisionQuest Eyecare Healthcare Provider Hacking/IT Incident 85,995
Washington University School of Medicine Healthcare Provider Hacking/IT Incident 80,270
Emory Healthcare Healthcare Provider Hacking/IT Incident 79,930
Stephenville Medical & Surgical Clinic Healthcare Provider Unauthorized Access/Disclosure 75,000
Primary Care Specialists, Inc. Healthcare Provider Hacking/IT Incident 65,000
ABCD Pediatrics, P.A. Healthcare Provider Hacking/IT Incident 55,447
WellCare Health Plans, Inc. Health Plan Hacking/IT Incident 24,809
Denton Heart Group Healthcare Provider Theft 21,665

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.