Healthcare , HIPAA/HITECH , Industry Specific
Federal Tally Reaches 5,000 Health Data Breaches Since 2009More People Affected by Breaches Than Total US Population
The federal tally of health data breaches reached a new milestone this week: The healthcare industry has reported more than 5,000 major data privacy and security incidents to the Department of Health and Human Services. The department's Office of Civil Rights keeps a public online tally on its HIPAA breach "wall of shame," which has been running since 2009.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
A Wednesday snapshot of the website shows a total of 5,006 reported incidents, each affecting more than 500 individuals, with an overall total of nearly 369 million affected individuals.
That's more people affected by large health data breaches than the total U.S. population, which the Census Bureau on Jan. 1 tallied as 332.4 million. Likely many individuals have been caught up in more than one major health data breach.
So far in 2022 alone, 562 major data breaches affecting more than 39.2 million individuals have been posted to the tally. Companies reported hacking as the cause behind a large majority of those incidents.
About 206 of the breaches so far this year involved business associates. Those breaches affected 18.7 million individuals - or about 48% of the total affected by major health data breaches in 2022.
10 Largest Health Data Breaches in 2022, So Far
|Breached Entity||Individuals Affected|
|Advocate Aurora Health||3 million|
|Shields Health Care Group||2 million|
|Professional Finance Co.||1.9 million|
|Baptist Medical Center||1.6 million|
|Novant Health||1.4 million|
|Broward Health||1.35 million|
|Texas Tech University Health Sciences Center||1.3 million|
|Partnership HealthPlan of California||855,000|
Of the 5,006 known healthcare industry breaches, slightly less than half are hacking incidents - but their relatively low frequency belies their importance, since those breaches were responsible for nearly 83% of all people affected.
Incidents involving business associates are less lopsided in the gap between frequency and effect. They amount to about 27% of total breaches and about 35% of all people affected.
10 Largest Health Data Breaches Since 2009
|Breached Entity||Individuals Affected|
|Anthem Inc.||79 million|
|Premera Blue Cross||11 million|
|Laboratory Corp. of America||10.3 million|
|Excellus Health Plan||9.36 million|
|Community Health Systems||6.1 million|
|Science Applications International Corp.||4.9 million|
|Community Health Systems||4.5 million|
|20/20 Eye Care Network||4.1 million|
To date, the 2014 cyberattack on health plan Anthem Inc., which was reported in February 2015 as a hacking incident affecting nearly 79 million individuals, remains the largest health data breach appearing on the tally.
So far, none of the 10 largest HIPAA breaches appearing on the HHS website were reported in 2022.
The 11th-largest breach posted to the federal tally was reported this year on July 27 by business associate OneTouchPoint, a Wisconsin-based printing and mailing vendor.
That hacking incident, which involved ransomware, was reported by the business associate as affecting more than 4.1 million individuals. It is the largest breach posted on the federal tally so far this year.
Health data breach trends - especially those involving hacking incidents, such as ransomware and data exfiltration attacks, and vendors - will likely expand, given the consolidation and duplication of electronic protected health information in the "extended outsourcing environment," says Chris Gray, vice president of cybersecurity at security firm Deepwatch.
"Perimeters have been shattered, and extended telehealth/reporting/intake services open up the attack surface," he says.
"The healthcare industry needs more security resources. If the number of defenders remains status quo, while the attack surface grows and more sophisticated 'hacking tools' become freely available, then we'd expect more breaches and impact."
Michael Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle, offers a similar assessment. "I do not see these trends changing until the market economics change around records theft and monetization," he says.