Surprising Results from 2014/2015 HIPAA Breach Analysis

A comparison of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between January and April of 2014 and 2015 shows some surprising results.

Year on Year Comparison of Data Breaches

The total number of victims of breaches of PHI during the first four months of 2014 and 2015 differ by only 6,834 records if the two mega data breaches (Anthem / Premera) are taken out of the equation and are considered as anomalies. Add those breaches and the figures tell a very different story, adding a further 89,800,000 individual health plan member records to that total.

118 data breaches were reported during the first third of 2014, with 91 reported during the same period in 2015, a fall of almost 23%.

Causes of Data Breaches

Recent reports indicate hacking to be the main cause of data breaches, and it has certainly resulted in the most records being exposed. Between January and April, 2014, there were 15 reported data breaches attributed to hacking, while in 2015 30 cases of hacking have been reported: A 100% increase. Theft of devices fell by 42% year on year, with all other incidents being broadly comparable.

Breaches by Covered Entity

Interestingly, in both 2014 and 2015 there were 61 data breaches reported by healthcare providers between January and April. Business Associates appear to have got to grips with HIPAA legislation, having reduced the number of data breaches from 39 incidents in 2014 to a single data breach in 2015 and one with “BA involvement”.

Healthcare providers have seen the number of data breaches double year on year, registering 16 breaches between January and April 2014, with 29 breaches reported in 2015 – a 42% increase.

Location of Breached Information

In terms of where the breaches are occurring, there are some marked differences year on year. Figures for Desktop/PCs, EMRs and paper/film data breaches are broadly similar, although there has been a marked decrease in laptop/portable device loss and theft year on year. Network server data breaches have increased slightly, as have breaches involving physical records.

The most serious data breaches

Unsurprisingly, with the 78.8 million-record data breach at Anthem and the 11 million-record data breach at Premera Health, in 2015 hacking has been the most serious cause of HIPAA breaches. Hacking has resulted in cybercriminals obtaining 91,816,258 records, compared to 462,168 records during the same period last year.

Unauthorized disclosures were broadly similar, while loss and theft of devices exposed far fewer records in 2015.

The results of the analysis are summarized in the infographic below.



Data was obtained from breach reports submitted to the Office for Civil Rights. Any errors made by CEs in reporting will be reflected in this report, as will any delays in reporting data breaches for April 2015.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.