25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

2016 Healthcare Data Breach Report Ranks Breaches By State

Posted By on Feb 15, 2017

A new 2016 healthcare data breach report has been released detailing incidents reported to the Department of Health and Human Services’ Office for Civil Rights. While other reports have already been compiled, this latest report – compiled by data loss prevention firm Safetica USA –  shows where those data breaches occurred and the states most affected by healthcare data breaches in 2016.

Data for the 2016 healthcare data breach report was taken from the Office for Civil Rights breach portal, which includes all reported breaches of more than 500 records. The data show that the states most affected by healthcare data breaches are those with the highest number of residents and highest number of healthcare providers.

The top ten states for healthcare data breaches were found to be:

  1. California – 39 breaches
  2. Florida – 28 breaches
  3. Texas – 23 breaches
  4. New York – 15 breaches
  5. Illinois, Indiana, & Washington – 12 breaches
  6. Ohio & Pennsylvania – 11 breaches
  7. Michigan – 10 breaches
  8. Arizona & Arkansas – 9 breaches
  9. Georgia & Minnesota – 8 breaches
  10. Colorado & Missouri – 7 breaches

The states least affected by healthcare data breaches in 2016 were:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  1. Idaho
  2. Maine
  3. North Dakota
  4. South Dakota
  5. Vermont
  6. West Virginia

HIPAA-covered entities based in each of those states survived 2016 without experiencing a data breach that impacted more than 500 individuals. Only one HIPAA breach impacting more than 500 individuals was reported last year by a HIPAA-covered entity based in Alaska, Delaware, Hawaii, New Hampshire, Nevada, Utah and Wyoming.

The five worst hit states in terms of the numbers of records exposed were as follows:

  1. Arizona – 4,524,278 records
  2. New York – 3,588,554 records
  3. Florida – 2,872,912 records
  4. California – 1,436,701 records
  5. Georgia – 782,956 records

The main causes of healthcare data breaches in 2016 were unauthorized access/disclosure, which accounted for 41.5% of breaches, followed by hacking/IT incidents (31.8%), theft (19%), loss (5.4%) and improper disposal (2.3%).

Theft of physical PHI and devices used to store electronic protected health information was significantly lower than in 2015 when theft accounted for 30% of reported data breaches. In 2015, unauthorized access/disclosure was cited as the cause of 38% of breaches, hacking/IT incidents accounted for 21.4% of breaches, loss of PHI and devices used to store ePHI was the cause of 8.3% of breaches, and improper disposal was the cause of 2.3% of breaches.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist