Summary of Healthcare Data Breaches in 2016

by | Feb 14, 2017

Although the total number of healthcare data breaches reported in 2016 is an order of magnitude lower than the number seen in 2015, there was a significant increase in the number of covered entities (CEs) that reported breaches.

There were 16,471,765 recorded breaches seen in 2016, which compares to 113,267,174  exposed records 2015. Despite this massive decrease, more CEs reported breaches than in any other year since OCR started publishing breach summaries in 2009. These summaries are published on its ‘Wall of Shame’, which ranks 2016 as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year. These files were commonly stolen following massive cyberattacks on the databases of major health data companies.

As of February 6, 2017, more than 329 reported breaches of more than 500 records that have been uploaded to the OCR breach portal. This is a significant increase on the same period in previous years. A summary of the figures comparing previous years is outlined below:

2016 Healthcare Data Breaches of 500 or More Records

 

Year

Number of Breaches (500+)

Number of Records Exposed

2016

329

16,471,765

2015

270

113,267,174

2014

307

12,737,973

2013

274

6,950,118

2012

209

2,808,042

2011

196

13,150,298

2010

198

5,534,276

2009

18

134,773

Total

1801

171,054,419

 

Largest Healthcare Data Breaches of 2016

These figures suggest a significant reduction in large healthcare data breaches year on year. However, careful analysis of the figures is needed to understand the complexity of the underlying situation.

In 2015 there were three massive data breaches reported by covered entities due to massive cyberattacks on their databases. These CEs included Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks. However, in each size category, 2016 ranked worse than 2015. Therefore, 2016 was a particularly bad year in regards to the security of health data.

 

Breaches of More Than 500 Records

Year

500 to 1000

1,000 to 10,000

10,000 to 100,000

100,001+

2016

89

158

67

14

2015

76

142

37

12

*No total submitted for one healthcare data breach in 2016

 

All of the largest healthcare data breaches of 2016 (the breaches which resulted in the exposure or theft of more than 100,000 healthcare records) affected healthcare providers, aside from one major breach at a business associate and a health plan. The largest healthcare data breach of 2016  experienced by a health plan was the 381,504-record breach reported by Community Health Plan of Washington in December.

Largest Healthcare Data Breaches of 2016

The following table  summarises the largest healthcare breaches of the past year, including the CEs and the volume of records exposed.

Rank

Covered Entity

Entity Type

Cause of Breach

Records Exposed

1

Banner Health

Healthcare Provider

Hacking/IT Incident

3,620,000

2

Newkirk Products, Inc.

Business Associate

Hacking/IT Incident

3,466,120

3

21st Century Oncology

Healthcare Provider

Hacking/IT Incident

2,213,597

4

Valley Anesthesiology Consultants

Healthcare Provider

Hacking/IT Incident

882,590

5

County of Los Angeles Departments of Health and Mental Health

Healthcare Provider

Hacking/IT Incident

749,017

6

Bon Secours Health System Incorporated

Healthcare Provider

Unauthorized Access/Disclosure

651,971

7

Peachtree Orthopaedic Clinic

Healthcare Provider

Hacking/IT Incident

531,000

8

Radiology Regional Center, PA

Healthcare Provider

Loss

483,063

9

California Correctional Health Care Services

Healthcare Provider

Theft

400,000

10

Community Health Plan of Washington

Health Plan

Hacking/IT Incident

381,504

11

Central Ohio Urology Group, Inc.

Healthcare Provider

Hacking/IT Incident

300,000

12

Premier Healthcare, LLC

Healthcare Provider

Theft

205,748

13

Athens Orthopedic Clinic, P.A.

Healthcare Provider

Unauthorized Access/Disclosure

201,000

14

Community Mercy Health Partners

Healthcare Provider

Improper Disposal

 

Main Causes of Healthcare Data Breaches in 2016

The healthcare industry in the United States is at peril from insider attacks on their databases. Although this type of attack was not responsible for the largest healthcare data breaches of 2016, these breaches can cause the most harm to patients. The victims of these incidents are frequently at major risk of identity theft and fraud, and usually relatively soon after data have been stolen. Hackers often wait for a year or two before data are used.

As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016. Although the scale of the 2015 attacks was not repeated in 2016, the number of healthcare hacks increased massively, with more providers being attacked than ever before.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year. The use of data encryption technology could have prevented all of those data breaches and the exposure of almost 1,500,000 healthcare records.

Main Cause of Breach

2016

2015

Unauthorized Access/Disclosure

130

102

Hacking/IT Incident

113

57

Theft

62

81

Loss

16

23

Improper Disposal

7

6

2016 Healthcare Data Breaches by Covered Entity

The nature of healthcare data breaches in 2016 was similar to 2015, with healthcare providers the main entities breached.  Overall, the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

Breached Entity

2016

2015

Healthcare Provider

257

196

Health Plan

52

62

Business Associate

20

19

Data Source: Department of Health and Human Services’ Office for Civil Rights: Figures Updated February 7, 2017

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

ComplianceJunction

    Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

    Comprehensive HIPAA Training

    Used in 1000+ Healthcare Organizations and 100+ Universities

      Full Course - Immediate Access

      Privacy Policy