Healthcare Data Breach Statistics
We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website until December 31, 2020
The healthcare data breach statistics below only include data breaches of 500 or more records as details of smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.
Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 10 years, with 2020 seeing more data breaches reported than any other year since records first started being published.
There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. Better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosure incidents also commonplace.
Healthcare Data Breaches by Year
Between 2009 and 2020, 3,705 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records. That equates to more than 81.72% of the population of the United States. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. In December 2020, that rate had doubled. The average number of breaches per day for 2020 was 1.76.
Healthcare Records Exposed by Year
There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. 2015 was the worst year in history for breached healthcare records with more than 113.27 million records exposed, stolen, or impermissibly disclosed. 2015 was particularly bad due to three massive data breaches at health plans: Anthem Inc, Premera Blue Cross, and Excellus. 
Average/Median Healthcare Data Breach Size by Year
Largest Healthcare Data Breaches (2009-2020)
| Rank | Name of Covered Entity | Year | Covered Entity Type | Individuals Affected | Type of Breach |
| 1 | Anthem Inc. | 2015 | Health Plan | 78,800,000 | Hacking/IT Incident |
| 2 | American Medical Collection Agency | 2019 | Business Associate | 26,059,725 | Hacking/IT Incident |
| 3 | Premera Blue Cross | 2015 | Health Plan | 11,000,000 | Hacking/IT Incident |
| 4 | Excellus Health Plan, Inc. | 2015 | Health Plan | 10,000,000 | Hacking/IT Incident |
| 5 | Science Applications International Corporation | 2011 | Business Associate | 4,900,000 | Loss |
| 6 | University of California, Los Angeles Health | 2015 | Healthcare Provider | 4,500,000 | Hacking/IT Incident |
| 7 | Community Health Systems Professional Services Corporations | 2014 | Business Associate | 4,500,000 | Hacking/IT Incident |
| 8 | Advocate Medical Group | 2013 | Healthcare Provider | 4,029,530 | Theft |
| 9 | Medical Informatics Engineering | 2015 | Business Associate | 3,900,000 | Hacking/IT Incident |
| 10 | Banner Health | 2016 | Healthcare Provider | 3,620,000 | Hacking/IT Incident |
| 11 | Newkirk Products, Inc. | 2016 | Business Associate | 3,466,120 | Hacking/IT Incident |
| 12 | Trinity Health | 2020 | Business Associate | 3,320,726 | Hacking/IT Incident |
| 13 | Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. | 2019 | Health Plan | 2,964,778 | Hacking/IT Incident |
| 14 | AccuDoc Solutions, Inc. | 2018 | Business Associate | 2,652,537 | Hacking/IT Incident |
| 15 | 21st Century Oncology | 2016 | Healthcare Provider | 2,213,597 | Hacking/IT Incident |
| 16 | Xerox State Healthcare | 2014 | Business Associate | 2,000,000 | Unauthorized Access/Disclosure |
| 17 | IBM | 2011 | Business Associate | 1,900,000 | Unknown |
| 18 | GRM Information Management Services | 2011 | Business Associate | 1,700,000 | Theft |
| 19 | Inmediata Health Group, Corp. | 2019 | Healthcare Clearing House | 1,565,338 | Unauthorized Access/Disclosure |
| 20 | UnityPoint Health | 2018 | Business Associate | 1,421,107 | Hacking/IT Incident |
| 21 | MEDNAX Services, Inc. | 2020 | Business Associate | 1,290,670 | Hacking/IT Incident |
| 22 | Employees Retirement System of Texas | 2018 | Health Plan | 1,248,263 | Unauthorized Access/Disclosure |
| 23 | AvMed, Inc. | 2010 | Health Plan | 1,220,000 | Theft |
| 24 | CareFirst BlueCross BlueShield | 2015 | Health Plan | 1,100,000 | Hacking/IT Incident |
| 25 | Montana Department of Public Health & Human Services | 2014 | Health Plan | 1,062,509 | Hacking/IT Incident |
Healthcare Hacking Incidents by Year
Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents. The low number of hacking/IT incidents in the earlier years could be partially due to the failure to detected hacking incidents and malware infections. Many of the hacking incidents between 2014-2018 occurred many months, and in some cases years, before they were detected.
Unauthorized Access/Disclosures by Year
As with hacking, healthcare organizations are getting better at detecting insider breaches and reporting those breaches to the Office for Civil Rights. These incidents consist of errors by employees, negligence, and acts by malicious insiders.
Loss/Theft of PHI and Unencrypted ePHI by Year
Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.
Improper Disposal of PHI/ePHI by Year
Breaches by Covered Entity Type
| Year | Healthcare Provider | Health Plan | Business Associate | Healthcare Clearinghouse | Total |
| 2009 | 14 | 1 | 3 | 0 | 18 |
| 2010 | 134 | 21 | 44 | 0 | 199 |
| 2011 | 134 | 19 | 45 | 1 | 199 |
| 2012 | 155 | 23 | 40 | 1 | 219 |
| 2013 | 191 | 20 | 64 | 2 | 277 |
| 2014 | 196 | 41 | 77 | 0 | 314 |
| 2015 | 195 | 61 | 14 | 0 | 270 |
| 2016 | 256 | 51 | 22 | 0 | 329 |
| 2017 | 285 | 52 | 21 | 0 | 358 |
| 2018 | 273 | 53 | 42 | 0 | 368 |
| 2019 | 398 | 59 | 53 | 2 | 512 |
| 2020 | 497 | 70 | 73 | 2 | 642 |
| Total | 2,728 | 471 | 498 | 8 | 3,705 |
OCR Settlements and Fines for HIPAA Violations
The penalties for HIPAA violations can be severe. Multi-million-dollar fines are possible when violations have been allowed to persist for several years or when there is systemic noncompliance with the HIPAA Rules.
The penalty structure for HIPAA violations is detailed in the infographic below:
OCR Settlements and Fines Over the Years
Further information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines imposed by OCR between 2008 and 2020. As the graph below shows, HIPAA enforcement activity has steadily increased over the past 12 years. The major rise in HIPAA violation penalties in 2020 is largely due to a new drive by OCR to enforce compliance with the HIPAA Right of Access. 11 settlements were reached with healthcare providers in 2020 to resolve cases where patients were not given timely access to their medical records.
How Much Has OCR Fined HIPAA Covered Entities and Business Associates?
In addition to an increase in fines and settlements, penalty amounts increased considerably between 2015 and 2018. In 2018, the largest ever financial penalty for HIPAA violations was paid by Anthem Inc to resolve potential violations of the HIPAA Security Rule that were discovered by OCR during the investigation of its 78.8 million record data breach in 2015. Anthem paid $16 million to settle the case. In 2020, Premera Blue Cross settled potential violations of the HIPAA Rules and paid a $6,850,000 penalty. and the large financial penalties have continued in 2021, with a $5,000,000 settlement agreed with Excellus Health Plan.
It was expected that 2018 would see fewer fines for HIPAA covered entities than in the past two years due to HHS budget cuts, but that proved not to be the case. 2018 was a record breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA covered entities and business associates who had violated HIPAA Rules and 2020 saw a major increase in enforcement activity with 19 settlements.
OCR Penalties for HIPAA Violations
| Year | Covered Entity | Amount | Penalty Type |
| 2021 | Excellus Health Plan | $5,100,000 | Settlement |
| 2021 | Banner Health | $200,000 | Settlement |
| 2020 | Peter Wrobel, M.D., P.C., dba Elite Primary Care | $36,000 | Settlement |
| 2020 | University of Cincinnati Medical Center | $65,000 | Settlement |
| 2020 | Dr. Rajendra Bhayani | $15,000 | Settlement |
| 2020 | Riverside Psychiatric Medical Group | $25,000 | Settlement |
| 2020 | City of New Haven, CT | $202,400 | Settlement |
| 2020 | Aetna | $1,000,000 | Settlement |
| 2020 | NY Spine | $100,000 | Settlement |
| 2020 | Dignity Health, dba St. Joseph’s Hospital and Medical Center | $160,000 | Settlement |
| 2020 | Premera Blue Cross | $6,850,000 | Settlement |
| 2020 | CHSPSC LLC | $2,300,000 | Settlement |
| 2020 | Athens Orthopedic Clinic PA | $1,500,000 | Settlement |
| 2020 | Housing Works, Inc. | $38,000 | Settlement |
| 2020 | All Inclusive Medical Services, Inc. | $15,000 | Settlement |
| 2020 | Beth Israel Lahey Health Behavioral Services | $70,000 | Settlement |
| 2020 | King MD | $3,500 | Settlement |
| 2020 | Wise Psychiatry, PC | $10,000 | Settlement |
| 2020 | Lifespan Health System Affiliated Covered Entity | $1,040,000 | Settlement |
| 2020 | Metropolitan Community Health Services dba Agape Health Services | $25,000 | Settlement |
| 2020 | Steven A. Porter, M.D | $100,000 | Settlement |
| 2019 | Jackson Health System | $2,154,000 | Civil Monetary Penalty |
| 2019 | Texas Department of Aging and Disability Services | $1,600,000 | Civil Monetary Penalty |
| 2019 | University of Rochester Medical Center | $3,000,000 | Settlement |
| 2019 | Touchstone Medical imaging | $3,000,000 | Settlement |
| 2019 | Sentara Hospitals | $2,175,000 | Settlement |
| 2019 | Medical Informatics Engineering | $100,000 | Settlement |
| 2019 | Korunda Medical, LLC | $85,000 | Settlement |
| 2019 | Bayfront Health St. Petersburg | $85,000 | Settlement |
| 2019 | West Georgia Ambulance | $65,000 | Settlement |
| 2019 | Elite Dental Associates | $10,000 | Settlement |
| 2018 | University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty |
| 2018 | Anthem Inc | $16,000,000 | Settlement |
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement |
| 2018 | Massachusetts General Hospital | $515,000 | Settlement |
| 2018 | Brigham and Women’s Hospital | $384,000 | Settlement |
| 2018 | Boston Medical Center | $100,000 | Settlement |
| 2018 | Filefax, Inc. | $100,000 | Settlement |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement |
| 2017 | Cardionet | $2,500,000 | Settlement |
| 2017 | Memorial Hermann Health System | $2,400,000 | Settlement |
| 2017 | 21st Century Oncology | $2,300,000 | Settlement |
| 2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement |
| 2017 | Presense Health | $475,000 | Settlement |
| 2017 | Metro Community Provider Network | $400,000 | Settlement |
| 2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement |
| 2017 | The Center for Children’s Digestive Health | $31,000 | Settlement |
| 2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement |
| 2016 | University of Mississippi Medical Center | $2,750,000 | Settlement |
| 2016 | Oregon Health & Science University | $2,700,000 | Settlement |
| 2016 | New York Presbyterian Hospital | $2,200,000 | Settlement |
| 2016 | St. Joseph Health | $2,140,500 | Settlement |
| 2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement |
| 2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement |
| 2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement |
| 2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement |
| 2016 | Care New England Health System | $400,000 | Settlement |
| 2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement |
| 2015 | Lahey Hospital and Medical Center | $850,000 | Settlement |
| 2015 | University of Washington Medicine | $750,000 | Settlement |
| 2015 | Cancer Care Group, P.C. | $750,000 | Settlement |
| 2015 | St. Elizabeth’s Medical Center | $218,400 | Settlement |
| 2015 | Cornell Prescription Pharmacy | $125,000 | Settlement |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement |
| 2014 | Concentra Health Services | $1,725,220 | Settlement |
| 2014 | Parkview Health System, Inc. | $800,000 | Settlement |
| 2014 | QCA Health Plan, Inc., of Arkansas | $250,000 | Settlement |
| 2014 | Skagit County, Washington | $215,000 | Settlement |
| 2014 | Anchorage Community Mental Health Services | $150,000 | Settlement |
| 2013 | WellPoint | $1,700,000 | Settlement |
| 2013 | Affinity Health Plan, Inc. | $1,215,780 | Settlement |
| 2013 | Idaho State University | $400,000 | Settlement |
| 2013 | Shasta Regional Medical Center | $275,000 | Settlement |
| 2013 | Adult & Pediatric Dermatology, P.C. | $150,000 | Settlement |
| 2012 | Alaska DHSS | $1,700,000 | Settlement |
| 2012 | Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | $1,500,000 | Settlement |
| 2012 | Blue Cross Blue Shield of Tennessee | $1,500,000 | Settlement |
| 2012 | Phoenix Cardiac Surgery | $100,000 | Settlement |
| 2012 | The Hospice of Northern Idaho | $50,000 | Settlement |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty |
| 2011 | General Hospital Corp. & Massachusetts General Physicians Organization Inc. | $1,000,000 | Settlement |
| 2011 | University of California at Los Angeles Health System | $865,500 | Settlement |
| 2010 | Rite Aid Corporation | $1,000,000 | Settlement |
| 2010 | Management Services Organization Washington Inc. | $35,000 | Settlement |
| 2009 | CVS Pharmacy Inc. | $2,250,000 | Settlement |
| 2008 | Providence Health & Services | $100,000 | Settlement |
State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations
State attorneys general can bring actions against HIPAA covered entities and their business associates for violations of the HIPAA Rules. Penalties range from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.
Only a handful of U.S. states have imposed penalties for HIPAA violations; however, that changed in 2019 and 2020 when many state Attorneys General participated in multistate actions against HIPAA covered entities and business associates that experienced major data breaches and were found not to be in compliance with the HIPAA Security Rule.
Some of the major fines issued by state attorneys general for HIPAA violations and equivalent violations of state laws are listed below.
Attorneys General HIPAA Fines
| Year | State | Covered Entity | Amount |
| 2019 | Multistate | CHSPSC LLC | $5,000,000 |
| 2019 | Multistate | Anthem Inc. | $39.5 million |
| 2019 | California | Anthem Inc. | $8.7 million |
| 2019 | Multistate | Premera Blue Cross | $10,000,000 |
| 2019 | Multistate | Medical Informatics Engineering | $900,000 |
| 2019 | California | Aetna | $935,000 |
| 2018 | Massachusetts | McLean Hospital | $75,000 |
| 2018 | New Jersey | EmblemHealth | $100,000 |
| 2018 | New Jersey | Best Transcription Medical | $200,000 |
| 2018 | Connecticut | Aetna | $99,959 |
| 2018 | New Jersey | Aetna | $365,211.59 |
| 2018 | District of Columbia | Aetna | $175,000 |
| 2018 | Massachusetts | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 |
| 2018 | New York | Arc of Erie County | $200,000 |
| 2018 | New Jersey | Virtua Medical Group | $417,816 |
| 2018 | New York | EmblemHealth | $575,000 |
| 2018 | New York | Aetna | $1,150,000 |
| 2017 | California | Cottage Health System | $2,000,000 |
| 2017 | Massachusetts | Multi-State Billing Services | $100,000 |
| 2017 | New Jersey | Horizon Healthcare Services Inc., | $1,100,000 |
| 2017 | Vermont | SAManage USA, Inc. | $264,000 |
| 2017 | New York | CoPilot Provider Support Services, Inc | $130,000 |
| 2015 | New York | University of Rochester Medical Center | $15,000 |
| 2015 | Connecticut | Hartford Hospital/ EMC Corporation | $90,000 |
| 2014 | Massachusetts | Women & Infants Hospital of Rhode Island | $150,000 |
| 2014 | Massachusetts | Boston Children’s Hospital | $40,000 |
| 2014 | Massachusetts | Beth Israel Deaconess Medical Center | $100,000 |
| 2013 | Massachusetts | Goldthwait Associates | $140,000 |
| 2012 | MN | Accretive Health | $2,500,000 |
| 2012 | Massachusetts | South Shore Hospital | $750,000 |
| 2011 | Vermont | Health Net Inc. | $55,000 |
| 2011 | Indiana | WellPoint Inc. | $100,000 |
| 2010 | Connecticut | Health Net Inc. | $250,000 |