98 Percent of Compromised Healthcare Records Due to Hacking

2015 was the worst ever year for healthcare data breaches. The top three largest data healthcare data breaches were all discovered in 2015, including the massive cyberattack on Anthem Inc., that exposed a staggering 78.8 million healthcare records.

The mega data breach at Anthem made the breaches at Premera Blue Cross and Excellus look small by comparison, yet they too were larger than any healthcare data breach previously reported to Office for Civil Rights. Just those three data breaches alone exposed almost 100 million healthcare records. Add in the 4.5 million-record data breach at UCLA Health, the 3.9 million-record breach at Medical Informatics Engineering and the one suffered by CareFirst BlueCross BlueShield and the total number of breached records rises to 110 million.

Something all the major healthcare data breaches of 2015 had in common was they were the result of the actions of hackers. Human error may have played a part in the exposure of data, and the majority of breaches reported to OCR last year involved errors of judgement or negligence (loss of devices, theft of equipment, unauthorized disclosures, and incorrect disposal of health records) but hackers were responsible for stealing the most records.

According to the 2016 Healthcare Data Breach Report from cloud access security broker Bitglass, hackers were responsible for 98% of healthcare record breaches in 2015 and stealing 111-million records.

Bitglass 2016 Healthcare Data Breach Report Findings


All HIPAA-covered entities are required to submit a breach report to OCR within 60 days of a data breach being discovered if that breach exposed the records of more than 500 individuals. That gives covered entities up until the end of February 2016 to submit their breach reports, so we may still see even more 2015 healthcare data breaches added to the OCR’s “Wall of Shame.”

Bitglass analyzed the data breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights to date, and determined there was an 80% increase in data breaches caused by hackers compared to 2014. This clearly shows hackers are targeting the healthcare industry with increasing regularity. While healthcare providers have previously been the hardest hit, in 2015 it was health insurers/health plans that suffered the most and were the hardest hit HIPAA-covered entities.

Bitglass determined that in 2014, 31 data breaches were caused by hackers. In 2015, the figure had risen to 56. The analysis of OCR data indicates that finally healthcare providers, health insurers, and their business associates are taking better care of equipment used to store ePHI. In 2014, 140 data breaches were reported as involving the theft or loss of devices used to store ePHI. In 2015, that figure had fallen to just 97 incidents. Still a shocking figure, but a considerable improvement year on year.

The Cost to HIPAA-Covered Entities and Healthcare Patients is Colossal


Insurance policies may have been taken out to cover cyberattacks, but they do not always cover the considerable costs of data breaches and HIPAA-covered entities have to pay dearly. The report cites research conducted by the Ponemon Institute last year, which estimated the cost of a healthcare data breach to be $363 per record; considerably more than the average cost per record across all industries, which was determined to be $154 per record.

Health plan members and healthcare patients also have to pay for a breach of their data. Hackers steal healthcare data and use the information to commit identity theft, or sell the records on to identity thieves. In many cases the data is used for months or years before fraud is detected, during which time significant debts can be run up in victims’ names. It can be difficult, or even impossible in some cases, to recover the costs.

Healthcare organizations may provide credit monitoring and identity theft protection services to breach victims, which include insurance policies to cover losses, but that is not always the case. All too often healthcare data breach victims are left with little recourse to claim back losses.

Hackers will continue to attack healthcare providers as long as it is profitable to do so, so major healthcare data breaches can be expected to continue in 2016. Healthcare organizations must get prepared and improve their security posture and not just aim to meet security and compliance requirements, but implement new technologies to make it as hard as possible for hackers to take advantage.

The Bitglass 2016 Healthcare Data Breach Report can be downloaded here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.