HIPAA Breach Statistics: Stolen Record Count Plunges

HIPAA Breach StatsThe healthcare industry may finally see light at the end of the tunnel.

The number of healthcare data breaches reported in 2017 increased slightly from the year prior – but there is good news.

The number of patient records impacted by breaches plunged 79.6% compared to 2016, according to statistics from the Breach Barometer Report 2017 by Protenus and Databreaches.net.

This continues a drop from the record-breaking HIPAA breaches reported in 2015. But has healthcare really turned a corner?

Dig into the report’s statistics below. See where more work is needed and get a few talking points to share with your healthcare clients.

HIPAA Breach Reported Every Day

The report combines data from the HIPAA Breach Portal and other sources, counting a total 477 healthcare breaches reported in 2017.

That’s an average of slightly more than one breach (1.3) per calendar day.

Considering only business days, the average bumps to 1.8 – or about five breaches every three days.

Tell your clients: every day brings a new data breach in healthcare.

Count of Breached Medical Records Plummets

The number of healthcare records exposed in security incidents fell dramatically in 2017 – but it would be difficult to match the high-mark set in recent years.

More than 5 million patient records were affected by HIPAA breaches reported in 2017, according to the report.

That’s a significant improvement from the 27 million records affected in 2016 and the more than 100 million affected in 2015.

The scale of the largest HIPAA breaches has been falling since 2015, a year in which a single attack exposed more medical records than all of 2016 and 2017 combined.

In 2015, individual breaches exposed 78 million records (Anthem), 11 million records (Premera), and 10 million records (Excellus).

In 2016, the largest HIPAA breaches were much smaller. The three largest exposed 3.6 million records (Banner Health), 3.8 million records (Newkirk Products), and 2.2 million records (21st Century Oncology).

In 2017, the three biggest healthcare data breaches reported impacted 697,800 records (Commonwealth Health), 500,000 records (Airway Oxygen), and 300,000 (Women’s Health Care Group of PA).

Two Major Causes of HIPAA Breaches

The report classifies breaches slightly differently than the HIPAA Breach Portal, helping to more specifically identify a breach’s cause.

Insiders – people working within the breached organization – were responsible for slightly more than one-third (37%) of HIPAA breaches reported in 2017, according to the report.

Hacking – or cyber attacks originating from outside the organization – also caused slightly more than one-third (37%) of healthcare breaches reported last year.

Of the remaining 26%, about 16% were attributed to loss or theft (excluding theft attributed to insiders), and the remaining 10% had insufficient data and were not classified.

HIPAA-Breach-RansomwareRansomware Breaches Spike in Healthcare

Hacking-related data breaches impacted the greatest number of healthcare records in 2017 – about 3.4 million, or 62% of the total for the year.

Within this group, 2017 saw a jump in breaches associated with ransomware and malware.

While only 30 such breaches were reported in 2016, the number more than doubled to 64 reported in 2017.

Is this due to a spike in ransomware attacks? It’s possible, and it’s also possible that victims of the attacks are growing more likely to report them.

In 2016, the DHHS OCR (Department of Health and Human Services Office for Civil Rights) published a ransomware fact sheet – which clarified the instances in which a ransomware attack is considered a HIPAA breach and must be reported.

The OCR reminded covered entities about this guidance in mid-2017, during a rash of ransomware attacks on hospitals.

Given the spike in reported ransomware attacks in healthcare – perhaps covered entities are getting the message.

Insider HIPAA Breach Overlooked for 14 Years

Insiders caused 176 of HIPAA breaches reported last year, or about 37% of the total. They impacted about 1.7 million patient records, or 30% of the total for 2017.

The report splits insider breaches into two types: insider error (58%) and insider-wrongdoing (40%).

Insider wrong-doing caused fewer breaches but impacted more patient records than insider error: 893,978 vs. 785,281 respectively – a difference of 14%.

To underscore the threat of malicious insiders, the report notes the case of a hospital employee who snooped on patient records for a staggering 14 years.

The breach, which took place at Tewksbury Hospital, impacted 1,100 patient records, began during U.S. President George W. Bush’s first term in office, and was finally discovered last year.

“While hacking incidents are often quickly discovered because of the immediate disruption they have on an organization’s day-to-day operations, insider threats can remain undiscovered for long periods of time,” according to the report.

HIPAA Breach Reporting Still Too Slow

For breaches affecting more than 500 people, healthcare organizations have up to 60 days after the breach is discovered to report it to DHHS OCR.

The problem is, on average, most organizations miss the deadline. In 2017, an average of 73 days passed before a HIPAA breach was reported.

This is a big improvement from 2016, which saw an average of 344 days pass before a breach was reported.

Tell your clients: organizations who fail to report a breach by the OCR’s deadline risk being hit with a HIPAA fine.

In Jan. 2017, Presence Health was fined $475,000 for untimely reporting. The breach impacted only 836 people and went unreported for 101 days – a mere 41 days after the deadline.


HIPAA for IT Providers - CTA


Related Resources

Breach Barometer Report 2017 from Protenus and Databreaches.net.

Healthcare IT Security: Top Stories of 2017

Biggest Cyber Attacks 2017: How They Happened



Written by Calyptix

 - February 12, 2018

About Us

Calyptix Security helps small and medium offices secure their networks so they can raise profits, protect investments, and control technology. Our customers do not waste time with security products designed for large enterprises. Instead, we make it easy for SMBs to protect and manage networks of up to 350 users.
call us
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram