Healthcare Data Breach Statistics

We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.

The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 10 years, with 2019 seeing more data breaches reported than any other year since records first started being published.

There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. Better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosures also commonplace.

Healthcare Data Breaches by Year

Between 2009 and 2019 there have been 3,054 healthcare data breaches involving more than 500 records. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 230,954,151 healthcare records. That equates to more than 69.78% of the population of the United States. In 2019, healthcare data breaches were reported at a rate of 1.4 per day.

Healthcare Records Exposed by Year

There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. 2015 was the worst year in history for breached healthcare records with more than 113.27 million records exposed, stolen, or impermissibly disclosed.  The situation has improved since 2015 with successive falls in the number of exposed records. Although since 2017, the number of records breached each year has risen considerably.  The number of exposed records more than doubled between 2017 and 2018, and more than tripled between 2018 and 2019.

Average/Median Healthcare Data Breach Size by Year



Largest Healthcare Data Breaches (2009-2019)

Rank Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach
1 Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident
2 American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident
3 Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident
4 Excellus Health Plan, Inc. 2015 Health Plan 10,000,000 Hacking/IT Incident
5 Science Applications International Corporation 2011 Business Associate 4,900,000 Loss
6 University of California, Los Angeles Health 2015 Healthcare Provider 4,500,000 Hacking/IT Incident
7 Community Health Systems Professional Services Corporations 2014 Business Associate 4,500,000 Hacking/IT Incident
8 Advocate Medical Group 2013 Healthcare Provider 4,029,530 Theft
9 Medical Informatics Engineering 2015 Business Associate 3,900,000 Hacking/IT Incident
10 Banner Health 2016 Healthcare Provider 3,620,000 Hacking/IT Incident
11 Newkirk Products, Inc. 2016 Business Associate 3,466,120 Hacking/IT Incident
12 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. 2019 Health Plan 2,964,778 Hacking/IT Incident
13 AccuDoc Solutions, Inc. 2018 Business Associate 2,652,537 Hacking/IT Incident
14 21st Century Oncology 2016 Healthcare Provider 2,213,597 Hacking/IT Incident
15 Xerox State Healthcare 2014 Business Associate 2,000,000 Unauthorized Access/Disclosure
16 IBM 2011 Business Associate 1,900,000 Unknown
17 GRM Information Management Services 2011 Business Associate 1,700,000 Theft
18 Inmediata Health Group, Corp. 2019 Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
19 UnityPoint Health 2018 Business Associate 1,421,107 Hacking/IT Incident
20 Employees Retirement System of Texas 2018 Health Plan 1,248,263 Unauthorized Access/Disclosure
21 AvMed, Inc. 2010 Health Plan 1,220,000 Theft
22 CareFirst BlueCross BlueShield 2015 Health Plan 1,100,000 Hacking/IT Incident
23 Montana Department of Public Health & Human Services 2014 Health Plan 1,062,509 Hacking/IT Incident
24 The Nemours Foundation 2011 Healthcare Provider 1,055,489 Loss
25 BlueCross BlueShield of Tennessee, Inc. 2010 Health Plan 1,023,209 Theft

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents. The low number of hacking/IT incidents in the earlier years could be partially due to the failure to detected hacking incidents and malware infections. Many of the hacking incidents between 2014-2018 occurred many months, and in come cases years, before they were detected.


Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting internal breaches and reporting those breaches to the Office for Civil Rights. These incidents consist of errors by employees, negligence, and acts by malicious insiders.

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.



Improper Disposal of PHI/ePHI by Year

Breaches by Covered Entity Type

Year Healthcare Provider Health Plan Business Associate Healthcare Clearinghouse Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 137 20 42 1 200
2012 152 22 40 1 215
2013 190 19 64 2 275
2014 193 40 77 0 310
2015 195 61 14 0 270
2016 256 51 22 0 329
2017 284 52 21 0 357
2018 276 53 42 0 371
2019 396 59 53 2 510
Total 2227 399 422 6 3054

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe. Multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.

The penalty structure for HIPAA violations is detailed in the infographic below:

OCR Settlements and Fines Over the Years

Further information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2019. As the graph below shows, HIPAA enforcement actions have steadily increased over the past 10 years.

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, the level of fines has also increased substantially in recent years. Multi-million-dollar fines for HIPAA violations are now the norm.


As the above graphs show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases, but the fines remain at high levels.

It was expected that 2018 would see fewer fines for HIPAA covered entities than in the past two years due to the budget cuts, but that proved not to be the case. 2018 was a record breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA covered entities and business associates who had violated HIPAA Rules.

OCR Penalties for HIPAA Violations

Year Covered Entity Amount Penalty Type
2019 Jackson Health System $2,154,000 Civil Monetary Penalty
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
2019 University of Rochester Medical Center $3,000,000 Settlement
2019 Touchstone Medical imaging $3,000,000 Settlement
2019 Sentara Hospitals $2,175,000 Settlement
2019 Medical Informatics Engineering $100,000 Settlement
2019 Korunda Medical, LLC $85,000 Settlement
2019 Bayfront Health St. Petersburg $85,000 Settlement
2019 West Georgia Ambulance $65,000 Settlement
2019 Elite Dental Associates $10,000 Settlement
2018 University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty
2018 Anthem Inc $16,000,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2018 Massachusetts General Hospital $515,000 Settlement
2018 Brigham and Women’s Hospital $384,000 Settlement
2018 Boston Medical Center $100,000 Settlement
2018 Filefax, Inc. $100,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty
2017 Memorial Healthcare System $5,500,000 Settlement
2017 Cardionet $2,500,000 Settlement
2017 Memorial Hermann Health System $2,400,000 Settlement
2017 21st Century Oncology $2,300,000 Settlement
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement
2017 Presense Health $475,000 Settlement
2017 Metro Community Provider Network $400,000 Settlement
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement
2017 The Center for Children’s Digestive Health $31,000 Settlement
2016 Lincare, Inc. $239,800 Civil Monetary Penalty
2016 Advocate Health Care Network $5,550,000 Settlement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2016 University of Mississippi Medical Center $2,750,000 Settlement
2016 Oregon Health & Science University $2,700,000 Settlement
2016 New York Presbyterian Hospital $2,200,000 Settlement
2016 St. Joseph Health $2,140,500 Settlement
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement
2016 Care New England Health System $400,000 Settlement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2015  Lahey Hospital and Medical Center $850,000 Settlement
2015 University of Washington Medicine $750,000 Settlement
2015 Cancer Care Group, P.C. $750,000 Settlement
2015 St. Elizabeth’s Medical Center $218,400 Settlement
2015 Cornell Prescription Pharmacy $125,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2014 Concentra Health Services $1,725,220 Settlement
2014 Parkview Health System, Inc. $800,000 Settlement
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement
2014 Skagit County, Washington $215,000 Settlement
2014 Anchorage Community Mental Health Services $150,000 Settlement
2013 WellPoint $1,700,000 Settlement
2013 Affinity Health Plan, Inc. $1,215,780 Settlement
2013 Idaho State University $400,000 Settlement
2013 Shasta Regional Medical Center $275,000 Settlement
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement
2012 Alaska DHSS $1,700,000 Settlement
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement
2012 Phoenix Cardiac Surgery $100,000 Settlement
2012 The Hospice of Northern Idaho $50,000 Settlement
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement
2011 University of California at Los Angeles Health System $865,500 Settlement
2010 Rite Aid Corporation $1,000,000 Settlement
2010 Management Services Organization Washington Inc. $35,000 Settlement
2009 CVS Pharmacy Inc. $2,250,000 Settlement
2008 Providence Health & Services $100,000 Settlement

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations, but 2019 saw many state attorneys general join forces in two multi-state actions over major data breaches at Premera Blue Cross and Medical Informatics Engineering.

Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.

Attorneys General HIPAA Fines

Year State Covered Entity Amount
2019 Multi-State Premera Blue Cross $10,000,000
2019 Multi-State Medical Informatics Engineering $900,000
2019 California Aetna $935,000
2018 Massachusetts McLean Hospital $75,000
2018 New Jersey EmblemHealth $100,000
2018 New Jersey Best Transcription Medical $200,000
2018 Washington Aetna TBA
2018 Connecticut Aetna $99,959
2018 New Jersey Aetna $365,211.59
2018 District of Columbia Aetna $175,000
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000
2018 New York Arc of Erie County $200,000
2018 New Jersey Virtua Medical Group $417,816
2018 New York EmblemHealth $575,000
2018 New York Aetna $1,150,000
2017 California Cottage Health System $2,000,000
2017 Massachusetts Multi-State Billing Services $100,000
2017 New Jersey Horizon Healthcare Services Inc., $1,100,000
2017 Vermont SAManage USA, Inc. $264,000
2017 New York CoPilot Provider Support Services, Inc $130,000
2015 New York University of Rochester Medical Center $15,000
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000
2014 Massachusetts Boston Children’s Hospital $40,000
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000
2013 Massachusetts Goldthwait Associates $140,000
2012 MN Accretive Health $2,500,000
2012 Massachusetts South Shore Hospital $750,000
2011 Vermont Health Net Inc. $55,000
2011 Indiana WellPoint Inc. $100,000
2010 Connecticut Health Net Inc. $250,000