HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

91 Million HIPAA Data Breach Victims Reported in Last 3 Months

The healthcare industry now has to fend off a concerted wave of attacks by cybercriminals looking to obtain the ultimate prize; tens of millions of healthcare records; each worth up to £1000 on the black market.

This year hackers have stolen the data of over 91 million patients and health plan members. To put this into perspective, more records have been stolen by thieves – or have otherwise been exposed – in the first three months of 2015 than were compromised in the whole of 2013. In fact, there have been more than 16 times as many breach victims reported this year than there were in the whole of 2013.

The total number of individuals affected by breaches in the past 8 years is 120 million. To put that figure in context, 120M is a third of the population of the United States, and 76% of these individuals have only become victims this year.

While lost laptops, data sticks and unencrypted Smartphones have caused a number of breaches in recent months, there is now a new front that healthcare providers and insurers must defend. Their servers and email accounts, which are increasingly being targeted by hackers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to the Department of Health and Human Services’ Office for Civil Rights breach portal, in 2015 there have been 47 breaches reported, although because HIPAA Rules allow covered organizations up to 2 months to report PHI breaches, this figure is undoubtedly higher.

HHS data show that breaches are happening due to a variety of reasons, although the hacking of network and email servers is a major concern as the number of incidents is clearly on the rise. Out of the last 10 HIPAA data breaches reported to the OCR, 8 were the result of hackers infiltrating network servers, email and computers. Those last 8 data breaches exposed 90,707,372 individual patient records.

A New Age of Healthcare Data Breaches

According to Rachel Seeger, Spokesperson for the Office for Civil Rights, “Healthcare organizations need to make data security central to how they manage their information systems and to be vigilant in assessing and addressing the risks to data on a regular basis.” She also highlighted the need to be prepared for inevitable attacks and said organizations need to be ready to “identify and respond appropriately to security incidents when they do happen to mitigate harm to affected individuals and prevent future similar incidents from occurring.”

She also said in a statement, “We are certainly seeing a rise in the number of individuals affected by hacking/IT incidents.” She went on to say that “These incidents have the potential to affect very large numbers of healthcare consumers, as evidenced by the recent Anthem and Premera breaches.” The Office for Civil Rights has been joined by many industry experts who have predicted the worst is yet to come.

One of the main problems with healthcare data security is systems have not been designed to cope with highly sensitive data and as a result vulnerabilities exist. According to Deborah Peel, executive director of Patient Privacy Rights.”HIPAA required security be addressed, but it wasn’t spelled it out exactly how, so there was no culture of using ironclad security,” said added. “we have systems that are engineered as though this data is not sensitive and valuable.”

According to Dave Kennedy, chief executive of TrustedSEC, “The medical industry is years and years behind other industries when it comes to security.” It is clear that prompt action must be taken by any healthcare provider or covered entity that is currently vulnerable to attack.

It is only by investing time, money and resources into data security that healthcare providers and insurers can reduce the risk of a cyber attacks, and protect the private healthcare data of patients and plan members.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.