Share this article on:
2016 was a particularly bad year for healthcare data breaches. More data breaches were reported than in any other year since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach summaries in 2009.
In 2016, 329 breaches of more than 500 records were reported to the Office for Civil Rights and 16,655,952 healthcare records were exposed or stolen.
2017 looks set to be another record breaking year for healthcare data breaches. Figures for the first quarter of 2017 show data breaches have increased, with rises in theft incidents, hacks and unauthorized disclosures.
By the end of Q1, 2016, 64 breaches of more than 500 records had been reported to OCR and 3,529,759 had been exposed or stolen.
Between January 1, 2017 and March 31, 2017, OCR received 79 data breach reports from HIPAA covered entities and business associates. Those breaches have resulted in the theft or exposure of 1,713,591 healthcare records.
While fewer individuals have been impacted by healthcare data breaches than in the equivalent period last year, the number of reported breaches has increased by more than 23%.
Hacking incidents have increased by 26%, unauthorized access and disclosures have risen by 28%, and theft incidents have increased by 30%. Incidents involving improper disposal of PHI have remained the same and there has been little change in the number of reported loss incidents.
April has also started poorly, with Ashland Women’s Health having discovered a hacking incident that has resulted in the exposure of 19,727 patient health records.
While hacking incidents have risen year on year, the biggest threat comes from within. Protenus reports that in January, 59.2% of healthcare data breaches were caused by insiders, with February’s healthcare data breach report indicating insiders were responsible for 58% of breaches.
Largest Healthcare Data Breaches in Q1, 2017
| Organization | Covered Entity Type | Type of Breach | Individuals Affected |
| Commonwealth Health Corporation | Healthcare Provider | Theft | 697,800 |
| Urology Austin, PLLC | Healthcare Provider | Hacking/IT Incident | 279,663 |
| VisionQuest Eyecare | Healthcare Provider | Hacking/IT Incident | 85,995 |
| Washington University School of Medicine | Healthcare Provider | Hacking/IT Incident | 80,270 |
| Emory Healthcare | Healthcare Provider | Hacking/IT Incident | 79,930 |
| Stephenville Medical & Surgical Clinic | Healthcare Provider | Unauthorized Access/Disclosure | 75,000 |
| Primary Care Specialists, Inc. | Healthcare Provider | Hacking/IT Incident | 65,000 |
| ABCD Pediatrics, P.A. | Healthcare Provider | Hacking/IT Incident | 55,447 |
| WellCare Health Plans, Inc. | Health Plan | Hacking/IT Incident | 24,809 |
| Denton Heart Group | Healthcare Provider | Theft | 21,665 |