Healthcare Data Breach Report by HIPAA Journal
The primary Healthcare Data Breach Report by HIPAA Journal analyzes and identifies trends in breaches of 500 or more records notified to HHS’ Office for Civil Rights. The primary report also lists settlement agreements and civil monetary penalties imposed for HIPAA violations by HHS’ Office for Civil Rights, State Attorneys General, and the Federal Trade Commission.
In addition, HIPAA Journal has produced annual and monthly reports since 2019 in order to provide more granular information about healthcare data breaches, their causes, and their consequences. Visitors to HIPAAJournal.com can access the primary report or any of the recent annual and monthly reports by clicking on the applicable link in the table below.
Why Discrepancies May Exist between HIPAA Journal and OCR Data
When reviewing any Healthcare Data Breach Report by HIPAA Journal, it is important to be aware that discrepancies may exist between HIPAA Journal and OCR data. There are two reasons for possible discrepancies.
Incomplete Reporting
The first reason is that covered entities and business associates sometimes notify HHS’ Office for Civil Rights (OCR) of a data breach before knowing the cause of the breach or the exact number of records exposed in the breach. This is to ensure that a breach of 500 or more records is notified within 60 days from the date of discovery as required by the Breach Notification Rule.
HIPAA Journal’s annual and monthly Healthcare Data Breach Reports are compiled and published at a “point in time”. Breach notifications to OCR that are revised after the publication of an annual or monthly report are disregarded for these reports, as breach notifications can be revised on multiple occasions and may not be completed for up to two years after the event.
Inaccurate Reporting
The second reason for potential discrepancies is inaccurate reporting. Inaccurate reporting most often occurs due to covered entities and business associates submitting breach notifications specifying the events of a breach rather than its cause. For example, many “Network Server” breaches attributable to “Hacking” usually start with a phishing email.
It can also be the case that multiple covered entities individually report a single breach that occurred at a shared business associate. As a result, the number of breaches on the OCR Breach Report can be inflated, as can the number of individuals affected if – for example – an individual is a patient of multiple covered entities who each report the same data breach.
Breaches Not Included in the Healthcare Data Breach Report by HIPAA Journal
As mentioned in the introduction, the Healthcare Data Breach Report by HIPAA Journal analyzes and identifies trends in breaches of 500 or more records notified to OCR. However, this represents less than 10% of all healthcare data breaches notified to OCR – the remainder affecting fewer than 500 individuals and most often attributable to unauthorized disclosures.
Source – 2022 Report to Congress on the Breach Notification Program (February 2024)
Because details of these healthcare data breaches are not publicly available until OCR submits its annual report to Congress (usually 12 to 15 months after the end of the year to which they relate), breaches affecting fewer than 500 individuals are not included in any Healthcare Data Breach Report by HIPAA Journal. All OCR’s annual reports to Congress can be found here.
