Largest Healthcare Data Breaches of 2016
2016 was a particularly bad year for healthcare data breaches. The largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 – 16,471,765 records were exposed compared to 113,267,174 records in 2015 – but more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.
As of February 6, 2017 there have been 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. 2017 looks set to be another particularly bad year for data breaches.
2016 Healthcare Data Breaches of 500 or More Records
| Year | Number of Breaches (500+) | Number of Records Exposed |
| 2016 | 329 | 16,471,765 |
| 2015 | 270 | 113,267,174 |
| 2014 | 307 | 12,737,973 |
| 2013 | 274 | 6,950,118 |
| 2012 | 209 | 2,808,042 |
| 2011 | 196 | 13,150,298 |
| 2010 | 198 | 5,534,276 |
| 2009 | 18 | 134,773 |
| Total | 1801 | 171,054,419 |
Largest Healthcare Data Breaches of 2016
While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.
In 2015 there were three massive data breaches reported by HIPAA-covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.
More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.
| Year | Breaches of More Than 500 Records | |||
| 500 to 1000 | 1,000 to 10,000 | 10,000 to 100,000 | 100,001+ | |
| 2016 | 89 | 158 | 67 | 14 |
| 2015 | 76 | 142 | 37 | 12 |
Aside from one major breach at a business associate and a health plan, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest healthcare data breach of 2016 experienced by a health plan was the 381,504-record breach reported by Community Health Plan of Washington in December.
Largest Healthcare Data Breaches of 2016
| Rank | Covered Entity | Entity Type | Cause of Breach | Records Exposed |
| 1 | Banner Health | Healthcare Provider | Hacking/IT Incident | 3,620,000 |
| 2 | Newkirk Products, Inc. | Business Associate | Hacking/IT Incident | 3,466,120 |
| 3 | 21st Century Oncology | Healthcare Provider | Hacking/IT Incident | 2,213,597 |
| 4 | Valley Anesthesiology Consultants | Healthcare Provider | Hacking/IT Incident | 882,590 |
| 5 | County of Los Angeles Departments of Health and Mental Health | Healthcare Provider | Hacking/IT Incident | 749,017 |
| 6 | Bon Secours Health System Incorporated | Healthcare Provider | Unauthorized Access/Disclosure | 651,971 |
| 7 | Peachtree Orthopaedic Clinic | Healthcare Provider | Hacking/IT Incident | 531,000 |
| 8 | Radiology Regional Center, PA | Healthcare Provider | Loss | 483,063 |
| 9 | California Correctional Health Care Services | Healthcare Provider | Theft | 400,000 |
| 10 | Community Health Plan of Washington | Health Plan | Hacking/IT Incident | 381,504 |
| 11 | Central Ohio Urology Group, Inc. | Healthcare Provider | Hacking/IT Incident | 300,000 |
| 12 | Premier Healthcare, LLC | Healthcare Provider | Theft | 205,748 |
| 13 | Athens Orthopedic Clinic, P.A. | Healthcare Provider | Unauthorized Access/Disclosure | 201,000 |
| 14 | Community Mercy Health Partners | Healthcare Provider | Improper Disposal | 113,528 |
Main Causes of Healthcare Data Breaches in 2016
Insider breaches continue to plague the healthcare industry in the United States. Insiders may not have caused the largest healthcare data breaches of 2016, although insider breaches can cause the most harm to patients. The data stolen in these incidents is commonly used for identity theft and fraud, and usually relatively soon after data have been stolen.
As was the case in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of the data breaches reported by Anthem, Premera, and Excellus were not repeated in 2016, but 2016 did see a major increase in healthcare hacks.
The loss and theft of unencrypted devices used to store PHI fell considerably year on year, which is certainly good news. However, if data encryption technology had have been employed, all of those data breaches could have been avoided. That would have meant the healthcare records of almost 1,500,000 individuals would not have been exposed.
| Main Cause of Breach | 2016 | 2015 |
| Unauthorized Access/Disclosure | 130 | 102 |
| Hacking/IT Incident | 113 | 57 |
| Theft | 62 | 81 |
| Loss | 16 | 23 |
| Improper Disposal | 7 | 6 |
2016 Healthcare Data Breaches by Covered Entity
Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.
| Breached Entity | 2016 | 2015 |
| Healthcare Provider | 257 | 196 |
| Health Plan | 52 | 62 |
| Business Associate | 20 | 19 |
What Steps Can Covered Entities Take to Minimize the Risk of Data Breaches?
To be compliant with HIPAA, covered entities must implement physical, technical, and administrative controls to safeguard protected health information. However, HIPAA compliance does not mean a healthcare organization will have a good security posture.
HIPAA requirements should be viewed as a minimum standard for privacy and security. To prevent data breaches healthcare organizations need to look beyond compliance.
HIPAA requires covered entities to employ encryption or alternative controls that offer an equivalent level of protection. Judging by the number of loss/theft incidents reported to OCR over the past 12 months, the ‘equivalent controls’ put in place by many covered entities do not the same level of protection. Covered entities that do not currently encrypt PHI on portable devices should re-evaluate the controls they have in place to safeguard PHI.
Insider breaches continue to be the leading cause of security breaches in the healthcare industry, but preventing insider breaches can be complicated. Employees must be given access to PHI in order to do their jobs and there will always be rogue employees that decide to supplement their earnings by stealing healthcare records or snoop on patient data. You can read a detailed guide to the breach notification rules here.
To reduce the threat from within, healthcare organizations should review their insider threat management policies and consider using technology to identify breaches rapidly. HIPAA requires ePHI access logs to be maintained and regularly checked. An annual check may be sufficient for HIPAA compliance, but it means a rogue employee could be stealing healthcare records for 12 months before being caught.
As recent malware incidents have shown, good patch management policies are essential. Healthcare organizations should perform weekly checks to ensure software and operating systems are up to date with all patches applied. The failure to patch promptly makes it too easy for cybercriminals to take advantage.
Technology can be purchased to make it harder for hackers to gain access to networks and data, but defenses need to be tested to determine whether any gaps exist. Healthcare organizations should consider penetration testing to probe their defenses for weaknesses and find and address security gaps before hackers can take advantage.
Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated February 7, 2017