Data Breach Statistics

You must be wondering why there is a page specifically dedicated to healthcare data breaches.
Well, security and privacy are one of the most important aspects of an EHR that is overlooked blatantly and considered a cost center by most providers.


Ransomware and hacking incidents plagued 2016, and this year is no different, with the latest Protenus Breach Barometer midyear report finding that 2017 is on pace to exceed last year’s rate of one breach per day.

So far this year, the healthcare sector has reported 233 breach incidents to the U.S. Department of Health and Human Services, state attorney generals and media. More than 3.16 million patient records have been breached.

Between 2009 and 2017 there have been 2,181 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 176,709,305 healthcare records. That equates to more than 50% of the population of the United States (54.25%). Healthcare data breaches are now being reported at a rate of more than one per day.

Data Breaches since EHRs were first mandated in 2009


Officials expect more organizations to report ransomware attacks this year, as HHS updated its ransomware reporting requirements in Aug. 2016. The update places the burden of proof on the provider to demonstrate data remained inaccessible or weren’t exfiltrated.

Insiders are also remaining a constant challenge for healthcare, accounting for 96 incidents or 41 percent of data breaches this year so far. More than 1.17 million patient records were breached by insider error or wrongdoing.

Wrongdoing is rife to cause significant damage, as it’s rarely detected immediately. For example, Anthem reported this week an employee of its Medicare insurance coordination services vendor was stealing and misusing Medicaid member data from as early as July 2016. The breach wasn’t found until April.

Another issue plaguing the healthcare sector is that other types of external attacks have been underreported or unreported. Thousands of databases in all sectors have been wiped or the data were exfiltrated. The report found that only a few of these were reported to HHS.

The FBI has also reported that these ‘ransacking’ incidents or targeted databases aren’t being reported.

In conclusion, Healthcare executives, at a fundamental level, should stop thinking about security and privacy as a cost center and more as a strategic pillar of their organization. We’ve continued to see increased awareness and incremental improvements, but not the needed dramatic leap forward.

“A culture of trust, comprised of dual pillars of privacy and security, must come from the highest levels of the organization.”