The healthcare industry has long been a prime target for cybercriminals, with data breaches posing a constant threat to patient privacy and the integrity of sensitive medical information. The past decade has witnessed an increase in the number and severity of healthcare data breaches, with 2023 setting new records of reported incidents and volume of exposed records.
Trends in healthcare data breach statistics
The upward trajectory of data breaches
Paubox’s healthcare data breach statistics analysis reveals an upward trend over the past 14 years. Since the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) began publishing summaries of data breach reports in October 2009, a staggering 5,887 large healthcare data breaches (involving 500 or more records) have been reported.
In 2023, a record-breaking 725 data breaches were reported to OCR, representing a 239% increase in hacking-related incidents and a 278% rise in ransomware attacks compared to 2018. This translates to an average of 1.99 healthcare data breaches of 500 or more records being reported each day, with an average of 364,571 healthcare records breached every day.
Escalating breach severity
The healthcare data breach statistics reveal not only a quantitative increase in the number of incidents but also a qualitative escalation in their severity. In 2023, the total number of records exposed or impermissibly disclosed across all reported breaches reached an astounding 133 million – more than double the previous record set in 2022.
Shifting breach causes
The primary causes of healthcare data breaches have changed over the years. In the early years, physical devices and records were more likely to be lost or stolen. However, as the industry has transitioned to digital record-keeping and adopted more widespread data encryption, these incidents have declined.
Now, the industry is experiencing a surge in hacking-related incidents and ransomware attacks. In 2023, 79.7% of all reported data breaches were attributed to hacking, compared to just 49% in 2019. Unauthorized access and disclosure incidents have also seen a downward trend, but data breaches continue to increase due to the growing sophistication of cyberattacks.
Causes of healthcare data breaches
Hacking and IT incidents
Cybercriminals have become increasingly adept at exploiting vulnerabilities in healthcare IT systems, often through malware, phishing attacks, and other sophisticated techniques. The shift to remote work and the growing reliance on cloud-based technologies have expanded the attack surface, making healthcare organizations more vulnerable to these breach types.
Unauthorized access and disclosure
While the frequency of unauthorized access and disclosure incidents has declined in recent years, the severity has increased. These incidents, which include employee errors, negligence, and malicious insider activities, can result in the exposure of large volumes of sensitive patient information.
Loss and theft of devices and records
The loss or theft of physical devices and records has become less prevalent in recent years due to the industry's transition to digital record-keeping and the increased adoption of data encryption technologies.
Improper disposal of PHI/ePHI
The improper disposal of protected health information (PHI) and electronic protected health information (ePHI) is a relatively infrequent cause of healthcare data breaches, but can result in the exposure of sensitive patient data. HIPAA requires healthcare organizations to destroy records that are no longer needed, and failure to do so can lead to breaches.
Read more: Healthcare data breaches: Insights and implications
Healthcare data breaches by reporting entity
The healthcare data breach statistics reveal that breach reporting is more complex than it may initially appear. While the data is typically reported by the entity that experienced the breach, the actual source of the breach may be a business associate or a combination of the covered entity and its business associates.
Reporting by healthcare providers
Healthcare providers, such as hospitals, clinics, and physician practices, have historically reported the majority of healthcare data breaches, accounting for 4,465 incidents between 2009 and 2024.
Reporting by health plans
Health plans, including insurance companies and managed care organizations, have reported 810 data breaches during the same period. These breaches often involved large volumes of patient information being exposed, such as the Anthem Inc. breach in 2015, which affected 78.8 million individuals.
Reporting by business associates
Business associates that provide services to HIPAA-covered entities have reported 947 data breaches since 2009. However, this figure may underrepresent the true extent of business associate-related breaches, as covered entities may also report incidents that originate with their business partners.
Read also: The biggest healthcare data breaches
Financial and regulatory implications of healthcare data breaches
OCR settlements and fines for HIPAA violations
The penalties for HIPAA violations can be severe, with multi-million-dollar fines possible when violations have persisted for several years or when there is systemic non-compliance with HIPAA Rules. The penalty structure for HIPAA violations includes four tiers, with the highest tier carrying a maximum fine of $1.9 million per violation category, per year.
Over the years, the OCR has steadily increased its enforcement activity, with 2022 having 22 penalties imposed. Notable examples include a $16 million settlement with Anthem Inc. in 2018 and a $6.85 million settlement with Premera Blue Cross in 2020 to resolve potential HIPAA violations related to their respective data breaches.
State Attorneys General HIPAA fines and penalties
In addition to federal enforcement by OCR, State Attorneys General can also bring action against HIPAA-covered entities and their business associates for HIPAA violations. Penalties can range from $100 per violation up to a maximum of $25,000 per violation category, per year.
In recent years, State Attorneys General have become more active in pursuing HIPAA-related enforcement actions, often in conjunction with federal authorities. Notable examples include a $39.5 million multistate settlement with Anthem Inc. in 2020 and a $10 million settlement with Premera Blue Cross in 2019.
Federal Trade Commission fines and penalties
The Federal Trade Commission (FTC) also enforces data breach notification requirements, particularly for vendors of personal health records and related entities not covered by HIPAA. In 2023, the FTC began actively enforcing its Health Breach Notification Rule, issuing several settlements with companies that failed to properly notify consumers of data breaches involving unsecured health information.
Related: What is the HIPAA Breach Notification Rule?
Strategies for mitigating healthcare data breaches
Encryption of protected health information
One of the most effective strategies for mitigating the impact of healthcare data breaches is encrypting PHI. Encryption renders data unusable, unreadable, or indecipherable in the event of a breach, preventing malicious actors from successfully accessing the data.
Related: HIPAA Compliant Email: The Definitive Guide.
Multifactor authentication and access controls
Implementing access controls, including multifactor authentication for privileged accounts, can help healthcare organizations mitigate the risk of unauthorized access and disclosure incidents.
Supply chain risk management
Healthcare organizations must prioritize the security of their supply chains, as data breaches originating from business associates have become increasingly common. Due diligence on vendors, continuous monitoring of HIPAA compliance, and secure communication channels for PHI/ePHI transmission can mitigate risk.
Employee training and awareness
HIPAA and cybersecurity training for all employees, including regular refresher courses, can help healthcare organizations reduce the risk of data breaches caused by human error, negligence, and insider threats. By fostering a culture of security awareness, organizations can empower their workforce to identify and report suspicious activities, ultimately strengthening their overall cybersecurity posture.
Proactive incident response and backup strategies
In the event of a successful cyberattack, healthcare organizations must be prepared to respond effectively and minimize the impact on patient care and data integrity. Incident response plans, regular backups, and the ability to quickly restore systems from secure backups can help organizations recover from these incidents and limit the exposure of sensitive data.
FAQs
How can organizations identify a breach?
Identifying a HIPAA breach involves recognizing any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.
Monitoring access logs, conducting regular security assessments, and promptly investigating suspicious incidents can help identify potential breaches. Early detection enables prompt action to mitigate harm and fulfill reporting requirements under HIPAA regulations.
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires covered entities and their business associates to notify affected individuals, the Department of Health and Human Services' Office for Civil Rights (OCR), and potentially the media and state authorities following a breach of unsecured PHI.
What is the difference between a HIPAA breach and a HIPAA violation?
A HIPAA breach involves the unauthorized disclosure of PHI, triggering notification requirements. In contrast, a HIPAA violation encompasses failure to comply with HIPAA regulations, whether or not it leads to a breach. Both breaches and violations can result in penalties, but the severity of the consequences may vary depending on the nature and extent of the non-compliance.
Why are there more data breaches in the healthcare sector than in other sectors?
Healthcare data is more valuable on the black market than any other type of data, as it takes longer for healthcare fraud to be discovered and the stolen data can be used for a longer time. Additionally, healthcare organizations have stricter breach notification requirements than other sectors, and certain types of breaches (such as ransomware attacks) must be reported even if it cannot be established that data has been compromised.