HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New Report Reveals 2016 Data Breach Trends

2016 was a particularly bad year for healthcare data breaches. The healthcare industry was targeted by ransomware gangs, careless employees left healthcare records exposed, and hackers broke through defenses on numerous occasions. 2016 was nowhere near as bad as 2015 in terms of the number of healthcare records stolen or exposed, but more healthcare data breaches were reported in 2016 than in previous years. But how did 2016 compare to other industries?

A new data breach report from Risk Based Security highlights recent data breach trends and confirms just how bad 2016 was for cybersecurity incidents. The total number of data breaches reported in 2016 – 4,149 data breaches – was on a par with 2015. However, the severity of data breaches in 2016 was far worse.

Until 2016, the worst year in terms of the number of records exposed or stolen was 2013, when the milestone of 1 billion exposed or stolen records was exceeded for the first time. However, in 2016 there were 3.2 billion more records exposed or stolen than that landmark year. More than 4.2 billion records were exposed or stolen between January and December 2016.

The worst security breaches of 2016 were caused by hackers. 9 out of the top 10 worst data breaches of 2016 were due to hacks, with one web breach ranking in the top ten. 2016 saw six data breaches make the top ten list of the worst data breaches ever reported as well as the worst ever data breach – The 1 billion-record breach at Yahoo. The top ten breaches of the year resulted in the theft or exposure of more than 3 billion records. Seven out of the top ten data breaches of 2016 had a severity score of 10/10, with an average score of 9.96/10.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

94 data breaches involving more than 1 million exposed records were reported over the course of the year – a 63% increase year on year. 37 data breaches of more than 10 million records were reported – an increase of 105% over 2015.

Risk Based Security’s figures show the United States was the worst hit. 47.5% of data breaches affected U.S. companies and those breaches accounted for 68.2% of the total number of exposed or stolen records. California was the worst hit state, registering 234 breaches and 80.48% of exposed records. Florida in second place with 113 breaches, followed by Texas with 105 and New York with 104.

While healthcare industry data breaches increased in 2016, they still only made up a small percentage of the total – 9.2% and just 0.3% of the total number of records exposed. The business sector was the worst hit, registering 51% of data breaches over the course of the year. Those breaches accounted for 80.9% of exposed or stolen records.

The 2016 data breach report indicates 7.6% of breaches were reported by medical institutions and 2.1% by hospitals. 11% of medical data breaches involved third parties.

Hacking was the main cause of breaches in 2016, accounting for 53.3% of the total. Those breaches were also the most severe, accounting for 91.9% of exposed or stolen records. One of the most common techniques used by hackers in 2016 was SQL injection, although in many cases there was no need to hack at all. More than 256 million records were exposed or stolen as a result of misconfigured databases and websites.

Insider breaches were a major cause of healthcare data breaches in 2016, although across all industries, insider incidents only accounted for 18.3% of the total. While malware attacks were frequent, they only accounted for 4.5% of the total number of breaches and 0.4% of exposed records.

The Data Breach QuickView Report can be downloaded on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.