US Healthcare Data Breach Statistics

Updated on: 9 September 2020
Updated on:9 September 2020

Healthcare data breaches increased by 2733% between 2009 and 2019 in the United States. The alarming frequency of such attacks has resulted in the majority of Americans’ healthcare data being exposed.

The origins of healthcare data breaches range from disgruntled employees to state sponsored hackers. On many occasions, the data ends up for sale on the dark web.

We studied data from a range of reputable sources to find out just how bad the situation is for healthcare data privacy in the USA, and whether things are likely to get better or worse in the coming years.

Among many worrying insights, we found between 2009 and 2019:

  • 3,054 data breaches of healthcare records
  • 230,954,151 healthcare records lost, stolen, or exposed
  • 70% of the US population affected by healthcare data breaches

Healthcare Data Breaches by Year

Healthcare data breaches occurred 2733% more frequently in 2019 than they did in 2009, at an average of 1.4 breaches involving at least 500 records per day.

At least 3,054 breaches occurred in the decade. These are known and reported breaches, and the true figure may be far higher.

Healthcare Data Breaches per Year

Healthcare Records Exposed by Year

The worst year for overall number of healthcare records exposed was 2015, despite having fewer total breaches than the two years prior and every subsequent year. This is primarily due to the Anthem Inc. data breach that exposed personally identifiable medical records of 28.8 million people.

2018 and 2019 saw a sharp increase in the number of individuals affected by healthcare data breaches, with a six-fold increase between 2017 and 2019.

Individuals Affected by Medical Data Breaches

Median Healthcare Data Breach Size by Year

Other than the massive Anthem Inc. breach in 2015, most incidents were below average for the decade. In fact, there’s a fairly regular median size of breach until 2019, when it almost doubles.

Median Medical Data Breach Size

Healthcare Hacking Incidents by Year

Prior to 2016, there were under 100 breaches each year. Between 2016 and 2018 that number rose dramatically to 423 in just three years. 2019 was the worst year by far, with 303 healthcare data security breaches.

It’s worth noting that whilst the sophistication of hacks has increased, so has the ability of organizations to identify attacks that may not have even been discovered before.

Medical Hacking Incidents per Year

Unauthorized Access/Disclosures by Year

Unauthorized access and disclosures consist of internal breaches such as employee error or malice. Due to the prevalence of recent data breaches, healthcare organizations have invested heavily into breach-detection, which may explain the sudden increase in reported incident numbers.

Unauthorized Access of Medical Records

Loss/Theft of PHI and Unencrypted ePHI by Year

One of the most serious incidents that can result from a data breach is the loss of unsecured personally identifiable information. A frequent cause for this is human negligence with regard to cyber security. Many incidents have occured with the theft of an unencrypted laptop from a vehicle or other publicly accessible location.

Loss or Theft of PHI

Improper Disposal of PHI/ePHI by Year

When data is no longer needed it must be carefully disposed of. Old hard drives must be fully sanitized, rather than simply wiped. Where personal data is concerned, complete destruction of storage devices is recommended.

Over the past decade, over 1 million personal healthcare records have been leaked due to improper disposal.

Improper Disposal of PHI

Biggest Data Breaches of the Decade

RankNameYearEntiry TypeIndividuals AffectedType
#1Anthem Inc.2015Health Plan78,800,000Hacking
#2Premera Blue Cross2015Health Plan11,000,000Hacking
#3Laboratory Corporation of America Holdings dba LabCorp2019Healthcare Provider10,251,784Hacking
#4Excellus Health Plan, Inc.2015Health Plan10,000,000Hacking
#5Community Health Systems Professional Services Corporations2014Healthcare Provider6,121,158Hacking
#6Science Applications International Corporation2011Business Associate4,900,000Loss
#7University of California, Los Angeles Health2015Healthcare Provider4,500,000Hacking
#8Community Health Systems Professional Services Corporation2014Business Associate4,500,000Theft
#9Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group2013Healthcare Provider4,029,530Theft
#10Medical Informatics Engineering2015Business Associate3,900,000Hacking
#11Banner Health2016Healthcare Provider3,620,000Hacking
#12Newkirk Products, Inc.2016Business Associate3,466,120Hacking
#13AccuDoc Solutions, Inc.2018Business Associate2,652,537Hacking
#1421st Century Oncology2016Healthcare Provider2,213,597Hacking
#15Xerox State Healthcare, LLC2014Business Associate2,000,000Unauthorized Access
#16IBM2011Business Associate1,900,000Unknown
#17Clinical Pathology Laboratories, Inc.2019Healthcare Provider1,733,836Hacking
#18GRM Information Management Services2011Business Associate1,700,000Theft
#19Iowa Health System d/b/a UnityPoint Health2018Business Associate1,421,107Hacking
#20Employees Retirement System of Texas2018Health Plan1,248,263Unauthorized Access

2015 was a big year for big data breaches. Of the 10 biggest healthcare data breaches between 2009 and 2019, five occurred in 2015.

Hacking was the main cause of all the biggest attacks, including the massive 2015 Anthem Inc. attack that led to a breach affecting 78.8 million individuals. The Antham Inc. breach was seven times larger than the second biggest of the decade, and bigger than the subsequent nine largest put together.

Why is healthcare data so frequently targeted?

The data shows that healthcare organizations are extremely vulnerable to cyber attack. The amount of personal information held in such databases is problematic for both healthcare organisations and the public.

Healthcare providers have steadily increased their cyber security budgets over the past decade, however many still use outdated and poorly secured computer systems. But why are these organizations so frequently attacked, and is there anything that can be done to further protect this data?

Some common issues that often lead to healthcare information data breaches are:

Outdated systems make them an easy target

Hospitals in particular are extremely vulnerable to cyber attack due to many using outdated computer systems. Hospital IT teams are often so busy with simply keeping systems and databases working correctly that data security becomes a lower priority. This means that known vulnerabilities are often left unpatched and systems not updated.

Medical devices connected to the network are often unsecured

A huge number of modern medical devices rely on networking in order to relay information and work together. Similar to using a smartphone to control your thermostat, hospitals increasingly rely on IoT for improved patient care.

Due to the vast number of connected devices in hospitals, the logistical challenge for IT teams is often too great for proper cyber security maintenance. Add to this that medical devices are not usually built with security baked in, and it’s easy to see why medical devices are often used as an entry point for an attacker to gain access to a healthcare provider’s network.

Data needs to be accessible and shareable, but most staff have no cyber security training

Medical staff need to have access to patient data, but the additional training costs and time constraints often mean that the people who access the network most frequently are ill equipped to keep it secure. When accessing data remotely, staff may be using their own potentially compromised devices. IT only takes one such device to open an attack vector.

Healthcare data breaches aren't going away

It’s clear to see by the trends over the past decade that the problems surrounding healthcare data will not go away without serious time, training, and money, invested into creating a whole new infrastructure that is ready for frequent patching, and leaves less room for human error.

The sheer value of healthcare data is such that without making it exceedingly difficult for attackers to access, they will continue to come up with new and increasingly intelligent methods of attack.

Sources:

https://www.hhs.gov/

https://www.hipaajournal.com/

https://www.cdc.gov/

https://ocrportal.hhs.gov/

Written by: Joe Robinson

Connect with him:

Data privacy and cyber security expert. Joe has been working in the VPN field for over seven years, and has a passion for analysis and debate. He loves learning new technologies and software, and regularly uses everything from Kali Linux to Pro-tools. When not writing about digital security, Joe helps businesses improve their website usability and spends his free time playing guitar and reading about data science, IoT, and philosophy.

Leave a Reply

Your email address will not be published. Required fields are marked *