Mid-Year Summary of Significant 2016 Healthcare Data Breaches

by | Jul 13, 2016

Cyberattacks on healthcare groups are now commonplace and, as long as it is profitable for hackers to attack healthcare organizations, the cyberattacks will continue. Given the number of healthcare data violations now being reported, it is evident that the healthcare industry must do more to enhance defenses against cyberattacks, insider threats. To do that, healthcare organizations need to focus on more than HIPAA compliance.

Healthcare groups had a stressful time in 2015. In 2015, more healthcare records were stolen than in any other year since records of breaches started being recorded by the Office for Civil Rights. Some of the cyberattacks on healthcare suppliers and health insurers lead to huge amounts of data being stolen.

Until the last week in June it appeared that the healthcare industry had prevented large data breaches on the scale of the cyberattacks on Anthem, Premera BlueCross, and Excellus BlueCross BlueShield in 2015. However, as the first six months of the year came to an end, a hacker offered a 9.3-million record database for sale on a Darknet marketplace.

Other large-scale data violations in 2016 include the cyberattack on 21st Century Oncology – A Fort Myers, Florida-based provider of cancer treatment. That attack may have led to the accessing and theft of 2,213,597 patients’ records.

In February, 2016, Florida-based Radiology Regional Center, PA., submitted a violation report of 483,063 patients’ PHI. The breach did not involve a hacker in this instance, instead the data exposure happened when patient files fell from a car that was transporting the files to be destroyed.

In May, California Correctional Health Care Services revealed the possible exposure of 400,000 health records when an unencrypted laptop computer was taken. A stolen laptop storing ePHI was also reported by Premier Healthcare, LLC., in April. The device theft lead to the exposure of 205,748 patient records.

Community Mercy Health Partners also reported a violation involving more than 100,000 patient records. Files storing the protected health data of 113,528 patients were found in a recycling bin in Springfield, Ohio.

Healthcare records were also possibly taken due to a malware infection at EMR management company Bizmatics. It is not yet obvious exactly how many patients were affected by that breach, although current estimates indicate more than 265,000 people have been impacted.

In total, 142 healthcare data violations involving more than 500 records have been reported to the Department of Health and Human Services’ Office for Civil Rights so far in 2016. During the same period in 2015, 143 data violations were reported.

All data breaches may not yet have made it onto the OCR breach portal, the current breach reports show how healthcare records are being exposed.

  • 48 data breaches were filed as unauthorized access
  • 43 data breaches were due to hacking or network server incidents
  • 37 breaches happened because of  the loss or theft of devices used to store ePHI or the loss/theft of physical records
  • 4 breaches were due to the improper destruction of records

In terms of the records that were taken or exposed:

  • 60% were due to cyber hacking (2,703,961 records)
  • 78% were due to loss/theft by an individual or individuals (1,342,125 records)
  • 6% were the result of access by an unauthorized person or group (342,748 records)
  • 63% happened due to improper disposal (118,594 records)

Reports from the Department of Health and Human Services’ Office for Civil Rights show 95,251 healthcare records were exposed or stolen in June 2016; however, there have been more large scale data breaches that have yet to appear on the OCR breach portal.

The sustained series of hacks by TheDarkOverlord have yet to be added to the OCR breach portal. Add in the healthcare records that were taken in those attacks, and others that have yet to be added to the breach portal and the total number of records exposed in June rises to 11,061,649, according to figures released in a recent Protenus report. The June figures are more than five higher than the total number of healthcare records that were exposed in the first five months of the year. Between January and May, 2016., 2,136,810 healthcare records were improperly accessed.

The Protenus report shows 41.4% of violations in June were the result of hacking and the same percentage were caused by insider theft and mistakes. The theft or loss of hard copies of patients PHI or devices storing ePHI accounted for 17.2% of breaches in June.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy