Security Breaches in Healthcare in the Last Three Years
There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.
There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.
More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.
In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.
Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.
In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.
In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation
15 Largest Security Breaches in Healthcare in the Last Three Years
|Rank||Year||Covered Entity||Entity Type||Records Exposed/Stolen||Breach Cause|
|1||2015||Anthem, Inc. Affiliated Covered Entity||Health Plan||78800000||Hacking/IT Incident|
|2||2015||Premera Blue Cross||Health Plan||11000000||Hacking/IT Incident|
|3||2015||Excellus Health Plan, Inc.||Health Plan||10000000||Hacking/IT Incident|
|4||2015||University of California, Los Angeles Health||Healthcare Provider||4500000||Hacking/IT Incident|
|5||2015||Medical Informatics Engineering||Business Associate||3900000||Hacking/IT Incident|
|6||2016||Banner Health||Healthcare Provider||3620000||Hacking/IT Incident|
|7||2016||Newkirk Products, Inc.||Business Associate||3466120||Hacking/IT Incident|
|8||2016||21st Century Oncology||Healthcare Provider||2213597||Hacking/IT Incident|
|9||2015||CareFirst BlueCross BlueShield||Health Plan||1100000||Hacking/IT Incident|
|10||2016||Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants||Healthcare Provider||882590||Hacking/IT Incident|
|11||2016||County of Los Angeles Departments of Health and Mental Health||Healthcare Provider||749017||Hacking/IT Incident|
|12||2017||Commonwealth Health Corporation||Healthcare Provider||697800||Theft|
|13||2015||Virginia Department of Medical Assistance Services (VA-DMAS)||Health Plan||697586||Hacking/IT Incident|
|14||2016||Bon Secours Health System Incorporated||Healthcare Provider||651971||Unauthorized Access/Disclosure|
|15||2015||Georgia Department of Community Health||Health Plan||557779||Hacking/IT Incident|
Main Causes of Security Breaches in Healthcare in the Last Three Years
The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.
There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.
Financial Penalties for Security Breaches in Healthcare in the Last Three Years
In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.
The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.
In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.