HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Breach Barometer Report Shows Over 50 Million Healthcare Records Were Breached in 2021

Protenus has released its 2022 Breach Barometer Report which confirms 2021 was a particularly bad year for healthcare industry data breaches, with more than 50 million healthcare records exposed or compromised in 2021.

The report includes healthcare data breaches reported to regulators, as well as data breaches that have been reported in the media, incidents that have not been disclosed by the breached entity, and data breaches involving healthcare data at non-HIPAA-regulated entities. The data for the report was provided by databreaches.net.

Protenus has been releasing annual Breach Barometer reports since 2016, and the number of healthcare data breaches has increased every year, with the number of breached records increasing every year since 2017. In 2021, it has been confirmed that at least 50,406,838 individuals were affected by healthcare data breaches, a 24% increase from the previous year. 905 incidents are included in the report, which is a 19% increase from 2020.

The largest healthcare data breach of the year occurred affected Florida Healthy Kids Corporation, a Tallahassee, FL-based children’s health plan. Vulnerabilities in its website had not been addressed by its business associate since 2013 and those vulnerabilities were exploited by hackers who gained access to the sensitive data of 3,500,000 individuals who applied for health insurance between 2013 and 2020.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Hacking incidents increased for the 6th successive year, with 678 breaches – 75% of the year’s total number of breaches- attributed to hacking incidents, which include malware, ransomware, phishing and email incidents.  Those breaches resulted in the records of 43,782,811 individuals being exposed or stolen – 87% of all breached records in 2021.

There has been a general trend over the past 6 years that has seen the number of insider incidents fall, albeit with an increase in 2020. There were 111 insider incidents in 2021, similar to the 110 incidents in 2019, which is a 26% decrease from 2020. The increase in 2020 is believed to be pandemic-related, with Protenus suggesting the 2020 spike was driven by a pandemic-related increase in insider curiosity or organizational detection of impropriety that has since subsided.

There were 32 theft-related breaches involving at least 110,6656 records and 11 cases of lost or missing devices or paperwork containing the records of at least 30,922 individuals. 73 incidents could not be classified due to a lack of information.

Healthcare providers continue to be the worst affected HIPAA-covered entity type, but business associate data breaches have increased to almost double the level of 2019. 75% of those incidents were hacking-related, 12% were due to insider error, and 1% were due to insider wrongdoing. Across those incidents, 20.986,509 records were breached. Protenus says that the average number of records breached in business associate data breaches is higher than any other breach.

The time taken to discover a data breach decreased by 30% since 2020. The average time from the date of the breach to discovery is now 132 days; however, it is taking much longer for organizations to disclose data breaches than in 2020. In 2021, the average time to report a data breach was 118 days, which is well over the 60 days stipulated by the HIPAA Breach Notification Rule. In 2020, the time from discovery to reporting was 85 days. The median time for reporting breaches was 62 days in 2021, which is also over the Breach Notification Rule reporting deadline.

“The need for proactive patient privacy monitoring has never been greater. The threats we’re seeing today are much more intrusive than in years past and can come from multiple sources — a random employee snooping or a sophisticated cybersecurity hacker that gains access through an employee channel,” said Nick Culbertson, CEO of Protenus. “Once a breach erodes patient trust in your organization, that’s extremely difficult to recover from.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.