2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

  • 25% year-over-year increase in healthcare data breaches.
  • Healthcare data breaches have doubled since 2014.
  • 642 healthcare data breaches of 500 or more records were reported in 2020.
  • 1.76 data breaches of 500 or more healthcare records were reported each day in 2020.
  • 2020 saw more than 29 million healthcare records breached.
  • One breach involved more than 10 million records and 63 saw more than 100K records breached.
  • Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
  • 3,705 data breaches of 500 or more records have been reported since October 2009.
  • 78 million healthcare records have been breached since October 2009.

U.S. Healthcare Data Breaches 2009 to 2020

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.


The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
Trinity Health Business Associate 3,320,726 Hacking/IT Incident
MEDNAX Services, Inc. Business Associate 1,290,670 Hacking/IT Incident
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident
Magellan Health Inc. Health Plan 1,013,956 Hacking/IT Incident
Dental Care Alliance, LLC Business Associate 1,004,304 Hacking/IT Incident
Luxottica of America Inc. Business Associate 829,454 Hacking/IT Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident
Health Share of Oregon Health Plan 654,362 Theft
Florida Orthopaedic Institute Healthcare Provider 640,000 Hacking/IT Incident
Elkhart Emergency Physicians, Inc. Healthcare Provider 550,000 Improper Disposal
Aetna ACE Health Plan 484,157 Hacking/IT Incident
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident
SCL Health – Colorado Healthcare Provider 343,493 Hacking/IT Incident
AdventHealth Healthcare Provider 315,811 Hacking/IT Incident
Nuvance Health Healthcare Provider 314,829 Hacking/IT Incident
Magellan Rx Management Business Associate 314,704 Hacking/IT Incident
The Baton Rouge Clinic Healthcare Provider 308,169 Hacking/IT Incident
Allegheny Health Network Healthcare Provider 299,507 Hacking/IT Incident
Northeast Radiology Healthcare Provider 298,532 Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

causes of 2020 healthcare data breaches

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits. The healthcare industry has been heavily targeted throughout the pandemic. According to Emsisoft, at least 560 healthcare facilities in the United States were affected by ransomware attacks in 2020, across 80 separate incidents.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type Number of breaches Records breached

Mean Records Breached

Median Records Breached
Hacking/IT Incident 429 26,949,956 62,820 8,000
Unauthorized Access/Disclosure 143 787,015 5,504 1,713
Theft 39 806,552 20,681 1,319
Improper Disposal 16 584,980 36,561 1,038
Loss 15 169,509 11,301 2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Location of compromised data in healthcare data breaches 2020

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 healthcare data breaches in the United States by Entity type

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State No. Breaches State No. Breaches State No. Breaches State No. Breaches
California 51 Virginia 18 New Jersey 9 Kansas 3
Florida 44 Indiana 17 South Carolina 9 Nebraska 3
Texas 44 Massachusetts 17 Washington 9 West Virginia 3
New York 43 Maryland 16 Delaware 8 District of Columbia 2
Pennsylvania 39 North Carolina 16 Utah 8 Idaho 2
Ohio 27 Colorado 14 Louisiana 6 Nevada 2
Iowa 26 Missouri 14 Maine 6 Oklahoma 2
Michigan 21 Arizona 12 New Mexico 6 Mississippi 1
Georgia 20 Arkansas 12 Oregon 5 Montana 1
Illinois 20 Kentucky 12 Hawaii 4 New Hampshire 1
Minnesota 20 Wisconsin 12 Alabama 3 North Dakota 1
Connecticut 19 Tennessee 10 Alaska 3 Rhode Island 1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance.  $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.