Healthcare , HIPAA/HITECH , Industry Specific

Federal Tally Reaches 5,000 Health Data Breaches Since 2009

More People Affected by Breaches Than Total US Population
Federal Tally Reaches 5,000 Health Data Breaches Since 2009

The federal tally of health data breaches reached a new milestone this week: The healthcare industry has reported more than 5,000 major data privacy and security incidents to the Department of Health and Human Services. The department's Office of Civil Rights keeps a public online tally on its HIPAA breach "wall of shame," which has been running since 2009.

See Also: OnDemand | Agency Armor: Cybersecurity Compliance Essentials for Resource-Constrained Teams

A Wednesday snapshot of the website shows a total of 5,006 reported incidents, each affecting more than 500 individuals, with an overall total of nearly 369 million affected individuals.

That's more people affected by large health data breaches than the total U.S. population, which the Census Bureau on Jan. 1 tallied as 332.4 million. Likely many individuals have been caught up in more than one major health data breach.

So far in 2022 alone, 562 major data breaches affecting more than 39.2 million individuals have been posted to the tally. Companies reported hacking as the cause behind a large majority of those incidents.

About 206 of the breaches so far this year involved business associates. Those breaches affected 18.7 million individuals - or about 48% of the total affected by major health data breaches in 2022.

10 Largest Health Data Breaches in 2022, So Far

Breached Entity Individuals Affected
OneTouchPoint 4.1 million
Advocate Aurora Health 3 million
Shields Health Care Group 2 million
Professional Finance Co. 1.9 million
Baptist Medical Center 1.6 million
Novant Health 1.4 million
Broward Health 1.35 million
Texas Tech University Health Sciences Center 1.3 million
Practice Resources 942,000
Partnership HealthPlan of California 855,000
Source: U.S. Department of Health and Human Services

Bigger Picture

Of the 5,006 known healthcare industry breaches, slightly less than half are hacking incidents - but their relatively low frequency belies their importance, since those breaches were responsible for nearly 83% of all people affected.

Incidents involving business associates are less lopsided in the gap between frequency and effect. They amount to about 27% of total breaches and about 35% of all people affected.

10 Largest Health Data Breaches Since 2009

Breached Entity Individuals Affected
Anthem Inc. 79 million
Optum360 11.5 million
Premera Blue Cross 11 million
Laboratory Corp. of America 10.3 million
Excellus Health Plan 9.36 million
Community Health Systems 6.1 million
Science Applications International Corp. 4.9 million
Community Health Systems 4.5 million
UCLA 4.5 million
20/20 Eye Care Network 4.1 million
Source: U.S. Department of Health and Human Services

To date, the 2014 cyberattack on health plan Anthem Inc., which was reported in February 2015 as a hacking incident affecting nearly 79 million individuals, remains the largest health data breach appearing on the tally.

So far, none of the 10 largest HIPAA breaches appearing on the HHS website were reported in 2022.

The 11th-largest breach posted to the federal tally was reported this year on July 27 by business associate OneTouchPoint, a Wisconsin-based printing and mailing vendor.

That hacking incident, which involved ransomware, was reported by the business associate as affecting more than 4.1 million individuals. It is the largest breach posted on the federal tally so far this year.

Looking Ahead

Health data breach trends - especially those involving hacking incidents, such as ransomware and data exfiltration attacks, and vendors - will likely expand, given the consolidation and duplication of electronic protected health information in the "extended outsourcing environment," says Chris Gray, vice president of cybersecurity at security firm Deepwatch.

"Perimeters have been shattered, and extended telehealth/reporting/intake services open up the attack surface," he says.

"The healthcare industry needs more security resources. If the number of defenders remains status quo, while the attack surface grows and more sophisticated 'hacking tools' become freely available, then we'd expect more breaches and impact."

Michael Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle, offers a similar assessment. "I do not see these trends changing until the market economics change around records theft and monetization," he says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.