The healthcare data breaches that grab news headlines are just the tip of the iceberg. There are in fact more than 850 data breaches from the past two years that remain under investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Those breaches—which have resulted from cyberattacks as well as mishandled information—have disrupted services and caused significant financial losses for healthcare providers and health plans. Meanwhile, they have potentially affected more than 166 million individuals.
Analyzing statistics on data breaches can help organizations identify key trends and better understand the tremendous impact breaches can have on healthcare organizations and patients. By evaluating common causes and reviewing best practices for prevention, your organization can reduce the likelihood that you and your customers will be victims.
Healthcare data breaches have been on the rise for more than a decade. Since late 2009, when the HHS OCR began publishing data breach metrics, and the end of 2023, there were 5,887 large breaches (i.e., breaches affecting 500 or more records). The HIPAA Journal, which publishes a regularly updated report on HHS OCR metrics, has shown that the number of breaches reported to OCR has climbed nearly every year, from 199 in 2010 (the first full year of reporting) to 725 in 2023.
[source: The HIPAA Journal 2024]
The size of breaches has also increased, according to the HIPAA Journal. Over the past three years, the number of records exposed, stolen, or otherwise disclosed has grown from 45.9 million (2021) to 51.9 million (2022), and then to 133 million (2023).
The average and median sizes of breaches have fluctuated since 2009, though there is a general upward trend for both. For example, the median number of breaches in 2010 was 2,027; by 2023, the median had reached 5,562.
[source: The HIPAA Journal 2024]
[source: The HIPAA Journal 2024]
The size of the largest breaches is growing. In 2023, there were 26 breaches of more than 1 million records and four breaches with more than 8 million records compromised. The largest breach—the hacking of HCA Healthcare in July 2023—affected 1,127,000 individuals.
Given these metrics, it’s not surprising that the rate of breaches has accelerated. In 2018, the healthcare industry experienced approximately one breach per day. In 2023, that number had nearly doubled, with almost two breaches per day, affecting a total of 350,000 records per day.
The largest breach over this period occurred in 2015, when Anthem Blue Cross Blue Shield was attacked. The company reported that approximately 78.8 million individuals were affected, including both current and former policyholders. Hackers stole personal information including names, birthdates, social security numbers, income data, home addresses, and email addresses.
The next largest breach occurred in 2018–2019, when more than 26 million individuals were affected by a breach of American Medical Collection Agency (AMCA) systems. Stolen data included social security numbers, payment card information, and medical information for some individuals.
It’s not yet clear how many records might have been exposed during the attack on UnitedHealth Group’s Change Healthcare electronic clearinghouse in early 2024. In that case, a ransomware attack cut the link between medical providers and insurance companies, leaving providers unable to transmit patient claims and receive payment for services. Change Healthcare has not disclosed the number of people affected, though the incident likely exposed millions of records.
There’s little doubt that the frequency of large-scale breaches is increasing. The vast majority (90%) of the top 59 incidents highlighted by the HIPAA Journal (and reported to the OCR) occurred in 2015 or later. More than half (69%) have occurred in 2020 or later.
As some of the most prominent incidents show, data breaches can affect all types of healthcare organizations. While healthcare providers often have the highest numbers of breaches, health plans, clearinghouses, and other partner organizations are also vulnerable.
When a breach occurs, a healthcare organization can face hefty fines and other monetary penalties. The HHS OCR can fine organizations for violating HIPAA rules while the attorneys general of individual states can also bring actions against organizations.
In many cases, healthcare organizations settle with the HHS OCR. The organization admits some compliance failures and agrees to pay a certain amount of money without admitting liability.
These settlements can reduce the fines levied by the OCR, but healthcare organizations still might be required to pay large sums. For example, in 2023, L.A. Care Health Plan, the largest public operated health plan in the United States, reached a settlement for $1.3 million. The settlement—and the associated corrective action plan—covered two data breaches caused by errors. In 2014, members could see other members’ information when logging in to a payment portal; in 2019, member IDs were sent to the wrong members.
The largest settlement over the past decade involved the Anthem breach that occurred in 2015. The organization settled with the government in 2018, agreeing to pay $16 million. The second largest settlement was reached in 2020, when Premera Blue Cross paid $6.85 million for a 2015 data breach that affected more than 10 million individuals.
While large fines are levied in the cases of large breaches, the HIPAA Journal reports that the size of fines is trending lower. The government is, however, stepping up enforcement on smaller organizations. More than half of the financial penalties from 2022 were issued against small medical practices.
According to the HHS OCR, a data breach is “an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information.” The HHS OCR uses multiple categories for types of breaches:
The HHS OCR metrics show that hacking/IT incidents are the most frequent types of events, followed by unauthorized access/disclosure, theft, loss, and improper disposal.
However a breach occurs, the impact can be enormous for both organizations and patients. Healthcare organizations can suffer severe financial consequences. They might need to pay a ransom, then recover data and restore systems, conduct investigations, and remedy security vulnerabilities. Service disruptions can cause losses in revenue. Those revenue losses can extend for months if organizations suffer reputational damage that keep away patients or customers. Organizations might also need to pay fines, offer identity protection for affected individuals, and pay legal settlements.
If patient information is stolen and sold, patients could feel the repercussions of data breaches for months or years. For example, they could be subject to identity theft if stolen personal information is used by criminals. And if their healthcare records are altered, their safety and future care could be at risk. Patients will need to use credit monitoring services and be vigilant about managing their healthcare going forward.
Given the increasing frequency of cybersecurity attacks on healthcare organizations, all organizations should continuously reevaluate their security strategies. Many will need to implement additional security capabilities and revise processes to better protect their IT environment from breaches.
To prevent unauthorized access, organizations need to strengthen access control capabilities. Deploying multi-factor authentication can help guard against unauthorized access even if employee credentials are stolen through phishing schemes or other means.
Organizations will also benefit from implementing network monitoring and network segmentation capabilities. IT teams can identify intrusions quickly and isolate systems before hackers can cause major damage.
Employee training and education are also critical. Employees should understand the risks of cyberattacks and learn best practices for reducing those risks. For example, they should be required to use robust, unique passwords and learn how to identify suspicious emails that could be part of phishing schemes.
Ensuring compliance with HIPAA regulations and working toward HITRUST certification can also help bolster security. HIPAA rules and the HITRUST framework can serve as guides to the areas where an organization should focus its efforts. Going through the rigorous process of achieving HITRUST certification will not only help protect against breaches but also provide a means of competitive differentiation.
FREE eBook: The Nine Biggest Healthcare Cybersecurity Threats and How to Beat Them!
The healthcare data security landscape is evolving rapidly. New technologies, such as AI and machine learning, could help healthcare organizations anticipate and identify threats quickly. They will need these technologies to combat cybercriminals who are also employing new technologies and resources, including Ransomware-as-a-Service solutions, to attack more organizations, faster.
As healthcare organizations add new security capabilities, many will also adopt cyber insurance as a way to cover data breach costs. Though premiums are rising, organizations can still benefit from policies that cover costs ranging from ransom payments and data restoration to regulatory fines and legal settlements.
Meanwhile, government agencies and industry organizations are working to address cybersecurity threats and other causes of healthcare data breaches. For example, as the government steps up enforcement of HIPAA violations, agencies are considering mandating more frequent security audits and requiring greater accountability for cybersecurity preparedness.
One thing is clear: The volume and severity of data breaches are unlikely to diminish any time soon. To prevent financial losses and reduce potential harm to patients, healthcare organizations must make cybersecurity a high priority.
Learn how Cloudticity can help your organization strengthen cybersecurity and reduce the likelihood of data breaches. Contact us for a free consultation today.