Security Breaches in Healthcare in the Last Three Years

There have been 955 major security breaches in healthcare in the last three years that have resulted in the exposure/theft of 135,060,443 healthcare records. More than 41% of the population of the United States have had some of their protected health information exposed as a result of those breaches, which have been occurring at a rate of almost one a day over the past three years.

There has been a steady rise in reported security beaches in healthcare in the last three years. In 2015 there were 270 data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights. The figure rose to 327 security breaches in 2016, and 342 security breaches in 2017.

reported healthcare data breaches in 2017

More healthcare security breaches are being reported than at any other time since HIPAA required covered entities to disclose data breaches, although the number of individuals affected by healthcare data breaches has been declining year-over year for the past three years.

In 2015, a particularly bad year for healthcare industry data breaches, 112,107,579 healthcare records were exposed or stolen. The majority of those records were exposed in three data breaches. The 78.8 million-record data breach at Anthem Inc., the 11 million-record breach at Premera Blue Cross, and the 10 million-record breach at Excellus Health Plan.

Other major security breaches in 2015 include the University of California Los Angeles Health breach of 4.5 million records and Medical Informatics Engineering breach of 3.9 million records.

In 2016, 14,679,461 healthcare records were exposed or stolen, with three incidents involving more than 1 million records: The 3.62 million-record breach at Banner Health, the 3.46 million-record breach at Newkirk Products, Inc., and the 2.21 million-record breach at 21st Century Oncology.

In 2017, the worst year for healthcare security incidents in terms of the number of breaches reported, there were 3,286,498 healthcare records exposed or stolen. There were two breaches involving more than half a million records. The 500,000-record breach at Airway Oxygen, Inc., and the 697800-record breach at Commonwealth Health Corporation

15 Largest Security Breaches in Healthcare in the Last Three Years


Rank Year Covered Entity Entity Type Records Exposed/Stolen Breach Cause
1 2015 Anthem, Inc. Affiliated Covered Entity Health Plan 78800000 Hacking/IT Incident
2 2015 Premera Blue Cross Health Plan 11000000 Hacking/IT Incident
3 2015 Excellus Health Plan, Inc. Health Plan 10000000 Hacking/IT Incident
4 2015 University of California, Los Angeles Health Healthcare Provider 4500000 Hacking/IT Incident
5 2015 Medical Informatics Engineering Business Associate 3900000 Hacking/IT Incident
6 2016 Banner Health Healthcare Provider 3620000 Hacking/IT Incident
7 2016 Newkirk Products, Inc. Business Associate 3466120 Hacking/IT Incident
8 2016 21st Century Oncology Healthcare Provider 2213597 Hacking/IT Incident
9 2015 CareFirst BlueCross BlueShield Health Plan 1100000 Hacking/IT Incident
10 2016 Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants Healthcare Provider 882590 Hacking/IT Incident
11 2016 County of Los Angeles Departments of Health and Mental Health Healthcare Provider 749017 Hacking/IT Incident
12 2017 Commonwealth Health Corporation Healthcare Provider 697800 Theft
13 2015 Virginia Department of Medical Assistance Services (VA-DMAS) Health Plan 697586 Hacking/IT Incident
14 2016 Bon Secours Health System Incorporated Healthcare Provider 651971 Unauthorized Access/Disclosure
15 2015 Georgia Department of Community Health Health Plan 557779 Hacking/IT Incident


Main Causes of Security Breaches in Healthcare in the Last Three Years

The three main causes of security breaches in healthcare in the last three years were hacking/IT incidents, unauthorized access and disclosure incidents, and the loss/theft of physical records and unencrypted electronic devices containing ePHI.

There has been a downward trend in the number of theft/loss incidents over the past three years as healthcare organizations have started encrypting records on portable electronic devices. However, improper disposal incidents have risen year over year as have hacking incidents. In 2017, hacking/IT incidents were the main cause of healthcare data breaches.

healthcare data breaches in 2017 (hacking)

healthcare data breaches in 2017 (Unauthorized access/disclosures)

Healthcare Data Breaches in 2017 (loss/theft)

Financial Penalties for Security Breaches in Healthcare in the Last Three Years

In addition to annual increases in data breaches, financial penalties for HIPAA violations have also been increasing, both in terms of number of settlements and civil monetary penalties issued and the penalty amounts.

The HHS’ Office for Civil Rights is now enforcing HIPAA Rules far more aggressively and multi-million-dollar fines are regularly issued. The last three years have seen 29 HIPAA covered entities and business associates financially penalized for data breaches that have occurred as a result of noncompliance with HIPAA Rules.

In the last three years, the HHS’ Office for Civil Rights has collected $49,091,700 in financial penalties from its enforcement actions. The average settlement amount in 2017 was $1.94 million.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.