Cybersecurity News

US Orgs Have Suffered 5,000 Healthcare Data Breaches Since 2009

More than 342 million medical records were impacted by the thousands of healthcare data breaches that occurred from 2009 to June 2022.

US Orgs Have Suffered 5,000 Healthcare Data Breaches Since 2009

Source: Getty Images

By Jill McKeon

- From 2009 to June 2022, organizations reported nearly 5,000 healthcare data breaches to the HHS Office for Civil Rights (OCR) data breach portal, researchers at Comparitech found. The breaches impacted more than 342 million records in total.

“All 50 states are required to report medical breaches to the U.S. Department of Health and Human Services (HHS), with individual breaches filed if they affected over 500 records (those with fewer may be filed under a yearly report),” the report noted.

“Due to the tool only listing breaches that affect 500 or more patients, it is likely our figures underestimate the true scale of the problem.”

Even so, the data once again confirms that healthcare data breaches are a longstanding, nationwide problem.

A Review of 13 Years of Healthcare Data Breaches

Nearly one-fifth of the breaches occurred in 2020 alone, likely due to the healthcare sector’s focus on the pandemic, which created a perfect storm for cyber threat actors, the report found. Behind 2020, 2021 and 2019 followed closely behind, suggesting that healthcare data breaches are only becoming more of a problem as time goes on.

Researchers also included a state-by-state breakdown of healthcare data breaches, all based on HHS data. It is important to note that the states with the highest number of breaches are also the states with some of the highest populations in the country.

For example, California accounted for about 10 percent of the 4,746 data breaches reported since 2009. Texas, Florida, New York, and Illinois followed behind as the most-affected states in terms of healthcare data breaches.

However, when it comes to the number of records impacted, the story changed. Indiana accounted for nearly 25 percent of all impacted records, at 87.2 million, largely due to the 2015 Anthem breach. New York followed with just 25 million records.

Comparitech also noted the top five biggest healthcare data breaches from 2009 to June 2022 in terms of the number of records affected:

  1. (2015) Anthem, Inc.: 78.8 million records impacted
  2. (2018-2019) Optum360: 11.5 million records impacted
  3. (2014-2015) Premera Blue Cross: 11 million records impacted
  4. (2019) Laboratory Corporation of America Holdings, dba LabCorp: 10.2 million records impacted
  5. (2013-2015) Excellus Health Plan: 9.3 million records affected

“The top-ranking medical breaches come from several years ago. So although we are seeing an uptick in the number of records affected on a yearly basis, this is due to a higher volume of attacks rather than larger, less frequent breaches,” the report noted.

As other reports have confirmed, healthcare has seen an uptick in malicious hacking incidents in recent years. Comparitech found that hacking accounted for 41 percent of breaches in 2021, followed by ransomware at 23 percent.

The past 13 years showed a steady increase in healthcare data breaches, with 2020 hitting record-high levels. Even as numbers start to even out, healthcare organizations are still facing a consistently high volume of breaches, with millions of records being impacted per year. 

Looking Forward

A new report from Critical Insight confirmed that while the total number of breaches has been steadily declining since 2020, breaches are still not at pre-pandemic levels. About 20 million records have been implicated in healthcare data breaches in the first half of 2022 alone.

As healthcare organizations continue to grapple with the pandemic two years later, they will also have to adjust to the “new normal” of cyber threats.

“Healthcare organizations are likely to look quite different today than pre-COVID. For example, administrators and other support staff that don’t need to physically be at the healthcare facility might have settled into a hybrid work schedule. This creates potential security vulnerabilities,” Critical Insight noted.

The report recommended that organizations get back to basics by focusing on preparing for an attack, quickly detecting attacks, and responding effectively. Additionally, healthcare organizations should ensure that all third-party vendors are employing appropriate security measures.

“Attackers are continuing to push the envelope and change the playing field when it comes to healthcare data breaches and attacks,” John Delano, healthcare cybersecurity Strategist at Critical Insight and vice president at Christus Health, said in a press release.

“This move from large hospital systems and payers to smaller entities that truly have a deficit when it comes to cyber defenses, shows a massive change in victims and approach. As we continue into 2022, we anticipate attackers to continue to focus on these smaller entities for ease of attack, but also for evasion of media attention and escalation with law enforcement.”