Healthcare Data Breach Statistics
We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website.
The healthcare data breach statistics below only include data breaches of 500 or more records as smaller breaches are not published by OCR. The breaches include closed cases and breaches still being investigated by OCR.
Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 9 years, with 2018 seeing more data breaches reported than any other year since records first started being published.
There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015, although better policies and procedures and the use of encryption has helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches is now hacking/IT incidents, with unauthorized access/disclosures also commonplace.
Healthcare Data Breaches by Year
Between 2009 and 2018 there have been 2,546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59% of the population of the United States. Healthcare data breaches are now being reported at a rate of more than one per day.
Healthcare Records Exposed by Year
There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. 2015 was the worst year in history for breached healthcare records with more than 113.27 million records exposed. 2012 was the best year with just 2,808,042 healthcare records exposed. The situation has improved since 2015 with successive falls in the number of exposed records. Although that trend did not continue in 2018. The number of exposed records more than doubled year over year, from 5,138,179 records in 2017 to 13,236,569 records in 2018.
Average/Median Healthcare Data Breach Size by Year
Largest Healthcare Data Breaches (2009-2018)
| Rank | Name of Covered Entity | Year | Covered Entity Type | Individuals Affected | Type of Breach |
| 1 | Anthem Inc. | 2015 | Health Plan | 78,800,000 | Hacking/IT Incident |
| 2 | Premera Blue Cross | 2015 | Health Plan | 11,000,000 | Hacking/IT Incident |
| 3 | Excellus Health Plan Inc. | 2015 | Health Plan | 10,000,000 | Hacking/IT Incident |
| 4 | Science Applications International Corporation | 2011 | Business Associate | 4,900,000 | Loss |
| 5 | University of California, Los Angeles Health | 2015 | Healthcare Provider | 4,500,000 | Hacking/IT Incident |
| 6 | Community Health Systems Professional Services Corporations | 2014 | Business Associate | 4,500,000 | Hacking/IT Incident |
| 7 | Advocate Medical Group | 2013 | Healthcare Provider | 4,029,530 | Theft |
| 8 | Medical Informatics Engineering | 2015 | Business Associate | 3,900,000 | Hacking/IT Incident |
| 9 | Banner Health | 2016 | Healthcare Provider | 3,620,000 | Hacking/IT Incident |
| 10 | Newkirk Products, Inc. | 2016 | Business Associate | 3,466,120 | Hacking/IT Incident |
| 11 | AccuDoc Solutions, Inc. | 2018 | Business Associate | 2,652,537 | Hacking/IT Incident |
| 12 | 21st Century Oncology | 2016 | Healthcare Provider | 2,213,597 | Hacking/IT Incident |
| 13 | Xerox State Healthcare, LLC | 2014 | Business Associate | 2,000,000 | Unauthorized Access/Disclosure |
| 14 | IBM | 2011 | Business Associate | 1,900,000 | Unknown |
| 15 | GRM Information Management Services | 2011 | Business Associate | 1,700,000 | Theft |
| 16 | UnityPoint Health | 2018 | Business Associate | 1,421,107 | Hacking/IT Incident |
| 17 | Employees Retirement System of Texas | 2018 | Health Plan | 1,248,263 | Unauthorized Access/Disclosure |
| 18 | AvMed, Inc. | 2010 | Health Plan | 1,220,000 | Theft |
| 19 | CareFirst BlueCross BlueShield | 2015 | Health Plan | 1,100,000 | Hacking/IT Incident |
| 20 | Montana Department of Public Health & Human Services | 2014 | Health Plan | 1,062,509 | Hacking/IT Incident |
| 21 | The Nemours Foundation | 2011 | Healthcare Provider | 1,055,489 | Loss |
| 22 | BlueCross BlueShield of Tennessee, Inc. | 2010 | Health Plan | 1,023,209 | Theft |
| 23 | Sutter Medical Foundation | 2011 | Healthcare Provider | 943,434 | Theft |
| 24 | Valley Anesthesiology and Pain Consultants | 2016 | Healthcare Provider | 882,590 | Hacking/IT Incident |
| 25 | Horizon Blue Cross Blue Shield of New Jersey | 2014 | Business Associate | 839,711 | Theft |
Healthcare Hacking Incidents by Year
Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents. The low hacking/IT incidents in the earlier years could be partially due to the failure to detected hacking incidents and malware infections quickly. Many of the hacking incidents between 2014-2018 occurred many months, and in come cases years, before they were detected.
Unauthorized Access/Disclosures by Year
As with hacking, healthcare organizations are getting better at detecting internal breaches and also reporting those breaches to the Office for Civil Rights. While hacking is the main cause of breaches, unauthorized access/disclosure incidents are not far behind.
Loss/Theft of PHI and Unencrypted ePHI by Year
Our healthcare data breach statistics show HIPAA covered entities and business associates have got significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.
Improper Disposal of PHI/ePHI by Year
Breaches by Covered Entity Type
| Year | Provider | Health Plan | Business Associate | Other | Total |
| 2009 | 14 | 1 | 3 | – | 18 |
| 2010 | 134 | 21 | 44 | – | 199 |
| 2011 | 137 | 20 | 42 | 1 | 200 |
| 2012 | 155 | 22 | 36 | 4 | 217 |
| 2013 | 199 | 18 | 56 | 5 | 278 |
| 2014 | 202 | 71 | 41 | – | 314 |
| 2015 | 196 | 62 | 11 | – | 269 |
| 2016 | 257 | 51 | 19 | – | 327 |
| 2017 | 288 | 52 | 19 | – | 359 |
| 2018 | 273 | 53 | 39 | – | 365 |
| Total | 1855 | 371 | 310 | 10 | 2181 |
OCR Settlements and Fines for HIPAA Violations
The penalties for HIPAA violations can be severe. Multi-million-dollar fines possible when violations have been allowed to persist for several years or when multiple violations of HIPAA Rules have been allowed to occur.
The penalty structure for HIPAA violations is detailed in the infographic below:
OCR Settlements and Fines Over the Years
Further information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines issued by OCR between 2008 and 2018. As the graph below shows, HIPAA enforcement has increased considerably over the past 9 years.
How Much Has OCR Fined HIPAA Covered Entities and Business Associates?
In addition to an increase in fines and settlements, the level of fines has also increased substantially. Multi-million-dollar fines for HIPAA violations are now the norm.
As the above graphs show, there has been a sizable increase in both the number of settlements and civil monetary penalties and the fine amounts in recent years. OCR’s budget has been cut so there are fewer resources to put into pursuing financial penalties in HIPAA violation cases, but the fines remain at high levels. It was expected that 2018 would see fewer fines for HIPAA covered entities than in the past two years due to the budget cuts, but that proved not to be the case. 2018 was a record breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA covered entities and business associates who had violated HIPAA Rules.
OCR Penalties for HIPAA Violations
| Year | Covered Entity | Amount | Settlement/CMP |
| 2018 | Cottage Health | $3,000,000 | Settlement |
| 2018 | Pagosa Springs Medical Center | $111,400 | Settlement |
| 2018 | Advanced Care Hospitalists | $500,000 | Settlement |
| 2018 | Allergy Associates of Hartford | $125,000 | Settlement |
| 2018 | Anthem Inc | $16,000,000 | Settlement |
| 2018 | Boston Medical Center | $100,000 | Settlement |
| 2018 | Brigham and Women’s Hospital | $384,000 | Settlement |
| 2018 | Massachusetts General Hospital | $515,000 | Settlement |
| 2018 | University of Texas MD Anderson Cancer Center | $4,348,000 | Civil Monetary Penalty |
| 2018 | Filefax, Inc. | $100,000 | Settlement |
| 2018 | Fresenius Medical Care North America | $3,500,000 | Settlement |
| 2017 | 21st Century Oncology | $2,300,000 | Settlement |
| 2017 | Memorial Hermann Health System | $2,400,000 | Settlement |
| 2017 | St. Luke’s-Roosevelt Hospital Center Inc. | $387,000 | Settlement |
| 2017 | The Center for Children’s Digestive Health | $31,000 | Settlement |
| 2017 | Cardionet | $2,500,000 | Settlement |
| 2017 | Metro Community Provider Network | $400,000 | Settlement |
| 2017 | Memorial Healthcare System | $5,500,000 | Settlement |
| 2017 | Children’s Medical Center of Dallas | $3,200,000 | Civil Monetary Penalty |
| 2017 | MAPFRE Life Insurance Company of Puerto Rico | $2,200,000 | Settlement |
| 2017 | Presense Health | $475,000 | Settlement |
| 2016 | University of Massachusetts Amherst (UMass) | $650,000 | Settlement |
| 2016 | St. Joseph Health | $2,140,500 | Settlement |
| 2016 | Care New England Health System | $400,000 | Settlement |
| 2016 | Advocate Health Care Network | $5,550,000 | Settlement |
| 2016 | University of Mississippi Medical Center | $2,750,000 | Settlement |
| 2016 | Oregon Health & Science University | $2,700,000 | Settlement |
| 2016 | Catholic Health Care Services of the Archdiocese of Philadelphia | $650,000 | Settlement |
| 2016 | New York Presbyterian Hospital | $2,200,000 | Settlement |
| 2016 | Raleigh Orthopaedic Clinic, P.A. of North Carolina | $750,000 | Settlement |
| 2016 | Feinstein Institute for Medical Research | $3,900,000 | Settlement |
| 2016 | North Memorial Health Care of Minnesota | $1,550,000 | Settlement |
| 2016 | Complete P.T., Pool & Land Physical Therapy, Inc. | $25,000 | Settlement |
| 2016 | Lincare, Inc. | $239,800 | Civil Monetary Penalty |
| 2015 | University of Washington Medicine | $750,000 | Settlement |
| 2015 | Triple S Management Corporation | $3,500,000 | Settlement |
| 2015 | Lahey Hospital and Medical Center | $850,000 | Settlement |
| 2015 | Cancer Care Group, P.C. | $750,000 | Settlement |
| 2015 | St. Elizabeth’s Medical Center | $218,400 | Settlement |
| 2015 | Cornell Prescription Pharmacy | $125,000 | Settlement |
| 2014 | Anchorage Community Mental Health Services | $150,000 | Settlement |
| 2014 | Parkview Health System, Inc. | $800,000 | Settlement |
| 2014 | New York and Presbyterian Hospital and Columbia University | $4,800,000 | Settlement |
| 2014 | QCA Health Plan, Inc., of Arkansas | $250,000 | Settlement |
| 2014 | Concentra Health Services | $1,725,220 | Settlement |
| 2014 | Skagit County, Washington | $215,000 | Settlement |
| 2013 | Adult & Pediatric Dermatology, P.C. | $150,000 | Settlement |
| 2013 | Affinity Health Plan, Inc. | $1,215,780 | Settlement |
| 2013 | WellPoint | $1,700,000 | Settlement |
| 2013 | Shasta Regional Medical Center | $275,000 | Settlement |
| 2013 | Idaho State University | $400,000 | Settlement |
| 2012 | The Hospice of Northern Idaho | $50,000 | Settlement |
| 2012 | Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. | $1,500,000 | Settlement |
| 2012 | Alaska DHSS | $1,700,000 | Settlement |
| 2012 | Phoenix Cardiac Surgery | $100,000 | Settlement |
| 2012 | Blue Cross Blue Shield of Tennessee | $1,500,000 | Settlement |
| 2011 | University of California at Los Angeles Health System | $865,500 | Settlement |
| 2011 | General Hospital Corp. & Massachusetts General Physicians Organization Inc. | $1,000,000 | Settlement |
| 2011 | Cignet Health of Prince George’s County | $4,300,000 | Civil Monetary Penalty |
| 2010 | Management Services Organization Washington Inc. | $35,000 | Settlement |
| 2010 | Rite Aid Corporation | $1,000,000 | Settlement |
| 2009 | CVS Pharmacy Inc. | $2,250,000 | Settlement |
State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations
State attorneys general can issue fines ranging from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.
Even when action is taken by state attorneys general over potential HIPAA violations, healthcare organizations are typically fined for violations of state laws. Only a handful of U.S. states have issued fines solely for HIPAA violations
Some of the major fines issued by state attorneys general for HIPAA violations and violations of state laws are listed below.
Attorneys General HIPAA Fines
| Year | State | Covered Entity | Amount |
| 2018 | Massachusetts | McLean Hospital | $75,000 |
| 2018 | New Jersey | EmblemHealth | $100,000 |
| 2018 | New Jersey | Best Transcription Medical | $200,000 |
| 2018 | Washington | Aetna | TBA |
| 2018 | Connecticut | Aetna | $99,959 |
| 2018 | New Jersey | Aetna | $365,211.59 |
| 2018 | District of Columbia | Aetna | $175,000 |
| 2018 | Massachusetts | UMass Memorial Medical Group / UMass Memorial Medical Center | $230,000 |
| 2018 | New York | Arc of Erie County | $200,000 |
| 2018 | New Jersey | Virtua Medical Group | $417,816 |
| 2018 | New York | EmblemHealth | $575,000 |
| 2018 | New York | Aetna | $1,150,000 |
| 2017 | California | Cottage Health System | $2,000,000 |
| 2017 | Massachusetts | Multi-State Billing Services | $100,000 |
| 2017 | New Jersey | Horizon Healthcare Services Inc., | $1,100,000 |
| 2017 | Vermont | SAManage USA, Inc. | $264,000 |
| 2017 | New York | CoPilot Provider Support Services, Inc | $130,000 |
| 2015 | New York | University of Rochester Medical Center | $15,000 |
| 2015 | Connecticut | Hartford Hospital/ EMC Corporation | $90,000 |
| 2014 | Massachusetts | Women & Infants Hospital of Rhode Island | $150,000 |
| 2014 | Massachusetts | Boston Children’s Hospital | $40,000 |
| 2014 | Massachusetts | Beth Israel Deaconess Medical Center | $100,000 |
| 2013 | Massachusetts | Goldthwait Associates | $140,000 |
| 2012 | MN | Accretive Health | $2,500,000 |
| 2012 | Massachusetts | South Shore Hospital | $750,000 |
| 2011 | Vermont | Health Net Inc. | $55,000 |
| 2011 | Indiana | WellPoint Inc. | $100,000 |
| 2010 | Connecticut | Health Net Inc. | $250,000 |