3rd Party Risk Management , Breach Notification , Critical Infrastructure Security

Record Number of Major Health Data Breaches in 2021

Analysis: Federal Tally Shows Breaches Climbing Annually, Hacks Dominating
Record Number of Major Health Data Breaches in 2021
The number of major health data breaches reported to HHS OCR in 2021 hit an annual record.

In the midst of the global COVID-19 pandemic, the federal tally shows that a record number of major health data breaches were reported in the U.S. in 2021, and the overwhelming majority of them involved hacking/IT incidents.

See Also: Take Inventory of Your Medical Device Security Risks

As of Monday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows some 713 major health data breaches affecting more than 45.7 million individuals posted for 2021.

Those figures could continue to grow in the weeks to come as HHS' Office for Civil Rights officials review and confirm details of additional HIPAA breach reports submitted at the end of 2021 and post them to the website.

While the number of major heath data breaches reported to HHS in 2021 surpasses previous years, the number of health data breaches reported over at least the past five years have steadily grown annually.

The 45.7 million individuals affected in 2021 by major health data breaches, however, is not the record number affected in a year.

The largest number of people were affected by health data breaches in 2015, when 270 major HIPAA breaches affected a record 112.5 million individuals. But that included 78.8 million individuals affected by a single incident - a major cyberattack on health insurer Anthem.

That incident, which was detected in late 2014 but reported to HHS by Anthem in February 2015, is by far still the single largest reported health data breach to date.

Steady Growth

Since 2009, the HHS OCR website shows some 4,444 major health data breaches affecting nearly 321 million individuals. Over the past several years, that includes:

  • 663 breaches affecting more than 34 million individuals in 2020;
  • 512 breaches affecting 42.3 million individuals in 2019;
  • 369 breaches affecting 14.4 million individuals in 2018;
  • 358 breaches affecting nearly 5.3 million individuals in 2017;
  • 329 breaches affecting 16.7 million individuals in 2016;
  • 270 breaches affecting 112.5 million individuals in 2015, including the record-breaking Anthem hacking incident.

The HHS website shows that 7.6% more major HIPAA breaches were reported in 2021 compared to 2020, and there were 34.4% more individuals affected by those incidents in 2021 compared to 2020.

2021 Breach Trends

Hacking/IT incidents were by far the most dominant type of health data breach posted to the HHS website in 2021, in a trend that has been developing over the past several years.

As of Monday morning, the HHS website shows 526 major HIPAA breaches reported as hacking/IT incidents affecting 43.1 million individuals reported in 2021. That means hacking/IT incidents were involved in 73% of all 2021 breaches posted to the HHS website so far, but those incidents were responsible for about 94% of individuals affected.

Some 147 "unauthorized access/disclosure" breaches affected more than 2.2 million individuals in 2021. That’s about 20% of total breaches and about 4.8% of those individuals affected in 2021.

Only 16 loss/theft breaches involving unencrypted computing devices - such as laptops and mobile storage gear - were posted to the HHS website in 2021. Those incidents, which were the major source of large health data breaches in years past, affected fewer than 100,000 individuals in 2021.

Business associates were reported as being involved in 251 breaches affecting 21.3 million individuals in 2021. That means vendors and other business associates handling protected health information were involved in about 35% of all major HIPAA breaches in 2021. Those business associate incidents affected about 46% of all individuals affected last year by major health data breaches.

10 Largest Health Data Breaches in 2021

Breached Entity Individuals Affected
Florida Healthy Kids Corp. 3.5 million
20/20 Eye Care Network 3.2 million
Forefront Dermatology 2.4 million
CaptureRx 1.7 million
Eskenazi Health 1.5 million
The Kroger Co. 1.47 million
St. Joseph's/Candler Health System 1.4 million
University Medical Center Southern Nevada 1.3 million
American Anesthesiology 1.27 million
Practicefirst Medical Management Solutions 1.2 million
Source: U.S. Department of Health and Human Services

2022 Trends So Far

As of Monday, the HHS OCR website showed five major breaches affecting 1.6 million individuals posted so far in 2022.

Each of those breaches was reported as a hacking/IT incident, as were the 10 largest breaches posted on the HHS site in 2021.

So far in 2022, the largest breach posted on the HHS site was reported on Jan. 2 by Fort Lauderdale, Florida-based Broward Health. That hacking incident, which occurred in October and involved data exfiltration, affected 1.3 million individuals.

Driving Forces

Some experts do not expect the growing number of health data breaches being reported - and the increasing number of individuals affected - to subside anytime soon.

"Breaches will increase as businesses continue to automate more. Data is the new currency in the cyber world," says Tom Walsh, founder of privacy and security consultancy tw-Security.

But that is not just a healthcare sector problem, some experts note. "I assume the number of breaches across industries has risen. [This] goes along with the worldwide nature of cyber business and security and crime. And the pandemic exacerbates it all," says Kate Borten, president of privacy and security consultancy The Marblehead Group.

Hacking incidents in particular will continue to plague the healthcare sector, Walsh says. "Hackers have stepped up their efforts. With new tools available it’s even easier for someone with basic experience to launch a more sophisticated attack," he says.

Walsh says hackers used to have to be technically skilled in operating systems and software to successfully launch an attack, but now software-as-a-service tools and tools using artificial intelligence are making it easier for novice hackers.

More Scams

At the same time, "the pandemic seems to have bred more scams, taking advantage of people working at home where they're connected 24/7," Borten says. She says working at home and combining business and personal activities throughout the day and night may weaken individuals' attention to good security practices.

Walsh says many organizations have become more diligent about addressing work-at-home risks.

"The home office environment may not be as secure as the work environment. However, it’s been my experience that, while in 2020 business hurriedly sent the majority of their workforce home, in 2021, efforts were made to later shore up the security defenses for those working from home."

In the meantime, the surge in ransomware attacks has created the need for covered entities and business associates to change their defense strategies and recovery procedures, he says.

"The kinds of breaches caused by ransomware seem to have shifted from an inconvenience of the availability of data - encrypted data held ransom - to the exfiltration of data with threats of releasing the data on the dark web if the ransom wasn’t paid," Walsh says, and adds that data exfiltration "requires a totally different response strategy."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.