Show
We have compiled healthcare data breach statistics from October 2009 when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website until December 31, 2021. The healthcare data breach statistics below only include data breaches of 500 or more records that have been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), as details of smaller breaches are not made public by OCR. The breaches include closed cases and breaches still being investigated by OCR for potential HIPAA violations. Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 10 years, with 2021 seeing more data breaches reported than any other year since records first started being published by OCR. There have also been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. Better policies and procedures and the use of encryption have helped reduce these easily preventable breaches. Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosure incidents also commonplace. Healthcare Data Breaches by YearBetween 2009 and 2021, 4,419 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 314,063,186 healthcare records. That equates to more than 94.63% of the 2021 population of the United States. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. Fast forward 4 years and the rate has doubled. In 2021, an average of 1.95 healthcare data breaches of 500 or more records were reported each day. Healthcare Records Exposed by YearAverage/Median Healthcare Data Breach Size by YearLargest Healthcare Data Breaches (2009-2021)
Healthcare Hacking Incidents by YearOur healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents. The low number of hacking/IT incidents in the earlier years could be partially due to the failure to detect hacking incidents and malware infections. Many of the hacking incidents between 2014-2018 occurred many months, and in some cases years, before they were detected. Unauthorized Access/Disclosures by YearAs with hacking, healthcare organizations are getting better at detecting insider breaches and reporting those breaches to the Office for Civil Rights. These incidents consist of errors by employees, negligence, and acts by malicious insiders. The number of reported breaches appears to have now plateaued. Loss/Theft of PHI and Unencrypted ePHI by YearOur healthcare data breach statistics show HIPAA-covered entities and business associates have gotten significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.
Improper Disposal of PHI/ePHI by YearHIPAA requires healthcare data, whether in physical or electronic form, to be permanently destroyed when no longer required. The improper disposal of PHI is a relatively infrequent breach cause and typically involves paper records that have not been sent for shredding or have been abandoned. Healthcare Data Breaches by HIPAA-Regulated Entity TypeListed below are the healthcare data breaches of 500 or more records by the entity that reported the breaches. It should be noted that data breaches at business associated may be self-reported, but could be reported by each affected covered entity. The number of data breaches at business associates has been increasing, even not taking this reporting discrepancy into account.
OCR Settlements and Fines for HIPAA ViolationsThe penalties for HIPAA violations can be severe. Multi-million-dollar fines are possible when violations have been allowed to persist for several years or when there is systemic noncompliance with the HIPAA Rules. The penalty structure for HIPAA violations is detailed in the infographic below: OCR Settlements and Fines Over the YearsFurther information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines imposed by OCR between 2008 and 2021. As the graph below shows, HIPAA enforcement activity has steadily increased over the past 14 years. The major rise in HIPAA violation penalties in 2020 was largely due to a new enforcement initiative by OCR targeting non-compliance with the HIPAA Right of Access – the right of patients to access and obtain a copy of their healthcare data. 11 settlements were reached with healthcare providers in 2020 to resolve cases where patients were not given timely access to their medical records, and in 2021 all but two of the 14 penalties were for HIPAA Right of Access violations. How Much Has OCR Fined HIPAA Covered Entities and Business Associates?In addition to an increase in fines and settlements, penalty amounts increased considerably between 2015 and 2018. In 2018, the largest ever financial penalty for HIPAA violations was paid by Anthem Inc to resolve potential violations of the HIPAA Security Rule that were discovered by OCR during the investigation of its 78.8 million record data breach in 2015. Anthem paid $16 million to settle the case. In 2020, Premera Blue Cross settled potential violations of the HIPAA Rules and paid a $6,850,000 penalty to resolve its 2015 data breach of the PHI of almost 10.5 million individuals, and in 2021 a $5,000,000 settlement was agreed with Excellus Health Plan to resolve HIPAA violations identified that contributed to its 2015 data breach of the PHI of almost 9.4 million individuals. While large financial penalties are still imposed to resolve HIPAA violations, the trend has been for smaller penalties to be issued in recent years, with those penalties imposed on healthcare organizations of all sizes. It was expected that 2018 would see fewer fines for HIPAA-covered entities than in the past two years due to HHS budget cuts, but that did not prove not to be the case. 2018 was a record-breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA-covered entities and business associates who had violated HIPAA Rules and 2020 saw a major increase in enforcement activity with 19 settlements. OCR Penalties for HIPAA Violations
*In 2021, following an appeal, the civil monetary penalty imposed on the University of Texas MD Anderson Cancer Center by the HHS’ Office for Civil Rights was vacated. State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare OrganizationsState attorneys general can bring actions against HIPAA-covered entities and their business associates for violations of the HIPAA Rules. Penalties range from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year. Only a handful of U.S. states have imposed penalties for HIPAA violations; however, that changed in 2019 when many state Attorneys General started participating in multistate actions against HIPAA-covered entities and business associates that experienced major data breaches and were found not to be in compliance with the HIPAA Rules. The penalties detailed below have been imposed by state attorneys general for HIPAA violations and violations of state laws. It is common for penalties to be imposed solely for violations of state laws, even though there may also have been HIPAA violations. Attorneys General HIPAA Fines
Healthcare Data Breach Statistics FAQsHow does the number of data breaches in the healthcare sector compare with other sectors?An analysis of data breaches recorded on the Privacy Rights Clearinghouse database between 2015 and 2019 showed that 76.59% of all recorded data breaches were in the healthcare sector. This implies the healthcare sector recorded three times as many data breaches as the education, finance, retail, and government sectors combined. Why are there so many more data breaches in the healthcare sector than in other sectors?Healthcare data is more valuable on the black market than financial data because financial data is shut down quickly before cybercriminals can make use of it, whereas healthcare data can be used to commit identity theft for much longer. Additionally, organizations in the healthcare sector tend to have larger databases – making them more attractive targets. It is also the case that organizations in the healthcare sector have stricter breach notification requirements than in other sectors. Certain types of breaches (i.e., ransomware attacks) have to be reported even if it cannot be established data has been compromised. The increasing number of recent ransomware attacks may have influenced the healthcare data breach statistics. Why has the average HIPAA penalty decreased since 2018 despite increases in the number of breaches and median breach size?Since 2019, the Office for Civil Rights (OCR) has been running a right of access initiative to clamp down on providers who fail to provide patients with access to their PHI within the thirty days allowed. Because penalties for right of access failures are less than for high volume data breaches, this has resulted in a decrease in the average HIPAA penalty in recent years. If a healthcare professional discloses PHI without authorization, is this included in the healthcare data breach statistics?Because the healthcare data breach statistics are compiled from breaches involving 500 or more records, individual unauthorized disclosures of PHI are not included in the figures. However, if the unauthorized disclosure is investigated by OCR and found to be attributable to willful neglect, any subsequent fines will be included in the settlement statistics. How can healthcare organizations mitigate data breaches?There are multiple steps healthcare organizations can take to mitigate data breaches. The most effective step is to encrypt protected health information to render it unusable, unreadable, or indecipherable in the event of a ransomware attack. This will ensure data is not compromised and the attack will not have to be reported to the Office for Civil Rights. Other steps include implementing two-factor authentication on privileged accounts to mitigate the consequences of credential theft, running checks on all storage volumes (cloud and on-premises) to ensure appropriate permissions are applied, checking network connections for unauthorized open ports, and eliminating Shadow IT environments developed as workarounds, |