Healthcare Information Security


Hacking Still Leading Cause of 2015 Health Data Breaches

By Elizabeth Snell

- Health data breaches are clearly not going away anytime soon, as 2015 has proven itself to consist of some of the largest breaches and hacking incidents on record.


The Anthem data breach and Premera Blue Cross breach are the largest data breaches currently listed in the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) database, with approximately 90 million individuals affected by the two health data breaches. Both incidents were caused by a cyber attack and took place earlier this year. However, the majority of health data breaches through today’s date were caused by either a hacking or IT incident, according to OCR.

There have been 92 incidents reported to HHS between Jan. 1, 2015 and May 6, 2015. Of those, 30 were classified as being caused by either a hacking or IT incident. The rest of the classification breakdown is as follows:

  • 27 - unauthorized access/disclosure
  • 22 - theft
  • 10 - loss
  • 3 - improper disposal

This trend continues one that previously reported on this year, with the largest six data breaches for 2015 all reportedly being caused by a hacking or IT incident. There has been a definite shift over the last several years when it comes to health data breaches.

For example, by widening the OCR search to include incidents from Jan. 1, 2010 up to today’s date, two of the top five largest breaches were reported as a hacking or IT incident. The next three were linked to either the loss or theft of a network server, desktop computer, or other such device. The top five health data breaches in that time frame were:

Anthem, Inc.

When: March 13, 2015

Affected Individuals: 78.8 million

Cause: Hacking/IT Incident


Premera Blue Cross

When: March 17, 2015

Affected Individuals: 11 million

Cause: Hacking/IT Incident


Science Applications International Corporation

When: November, 4, 2011

Affected Individuals: 4.9 million

Cause: Loss


Community Health Systems Professional Services Corporation

When: August 20, 2014

Affected Individuals: 4.5 million

Cause: Theft, Network Server


Advocate Health and Hospitals Corporation

When: August 23, 2013

Affected Individuals: 4,029,530

Cause: Theft, Desktop Computer

The Journal of the American Medical Association (JAMA) recently reported on this trend as well, showing in research that hacking increased from 12 percent to 27 percent of incidents from 2010 to 2013.

David Blumenthal, MD, MPP, and Deven McGraw, JD, LLM, MPH, wrote an editorial accompanying the JAMA study, and said that both policy makers and providers must ensure that they are practicing “good data hygiene.”

“They neglect to implement basic precautions such as encrypting health data, prohibiting the storage of personal information on employees’ personal electronic devices (which are vulnerable to loss and theft), and using sound practices for authenticating authorized users,” Blumenthal and McGraw wrote, adding that HIPAA regulations have gaps in what it can protect.

For example, the federal rules do not state how PHI should be regulated by technical companies like Apple, Google, and Facebook.

“The fact that HIPAA regulates only certain entities that hold health data, rather than regulating health data wherever those data reside, seems illogical in today’s digital world,” the duo said. “Beyond the adequacy of HIPAA, the security of the nation’s health information systems is inextricably linked to the ability to fend off cyber threats more generally. National policy on this larger question remains nascent.”

That “nascent” attitude could soon change though, as several variations on a national data breach notification bill are making their way through the legislative process. One of the more recent proposals is called the Consumer Privacy Protection Act, and would allow states to keep their own notification laws if they have more strict policies already in place. The legislation also includes medical and health information in types of data that individuals would need to be notified about should it be compromised.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...