Health data breaches have been rising in the US

Health organizations have been prime targets for hackers. Recently, there was a major ransomware attack on dozens of hospitals across the US¹, forcing them to suspend operations temporarily. Since 2009, there has been a clear upward trend in health data breaches, and 392 cases have already been reported by organizations this year (as of July 31). This week, Surfshark takes a look at US health data breaches over the years using the Breach Portal of the US Department of Health and Human Services².

Key insights

• Since 2009, there have been a total of 5553 health data breaches reported by organizations. The number of cases reported each year has been steadily increasing, with 719 reported in 2022 alone—the highest recorded number in a single year.
• The biggest health data breach happened in 2015—nearly 79 million people were affected by Anthem Inc.’s data breach², after which the company paid $16 million in fines to the US Department of Health and Human Services. The second largest health data breach occurred in 2019 when 11.5 million accounts were leaked from Optum360, LLC.
• Healthcare providers reported 72% of these breaches. Business associates of healthcare institutions account for 15%—for instance, last year, Novant Health reported that the health data of 1.4 million people was leaked to Meta through a tracking pixel². Finally, companies offering healthcare plans (including insurance policies) and clearing houses make up 13% of the reported breaches.
• The top 5 states by breach count since 2009 are California (558 reports), Texas (451), New York (366), Florida (326), and Pennsylvania (249). According to the FBI’s Internet Crime Reports³, the cybersecurity issues in these states are not limited to just healthcare breaches—they are the most heavily affected states by all major types of cybercrime, including ransomware, phishing, investment fraud, etc.

Methodology and sources

This study used publicly available data from the US Department of Health and Human Services Office for Civil Rights Breach Portal - Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. This guidance was first issued in April 2009 with a request for public comment⁴.

Data was collected on August 8th. The latest breach included in the data set was reported on July 31st, 2023. Aggregated data includes reports that have been archived or are still under investigation. They were analyzed according to organization type (Healthcare Provider, Business Associate, Healthcare Clearing House, Health Plan) and the state that the organization is in. Since Healthcare Clearing Houses account for only 0.2%, they were combined with Health Plan Providers.

Limitations of the study: As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals⁴. Thus, smaller breaches are left unreported.

Data was collected from:

References: