The HIPAA Privacy Rule (Health Insurance Portability and Accountability Act of 1996) is a healthcare cybersecurity framework that mandates security standards for all HIPAA-covered entities. HIPAA aims to protect patient information in the public health sector and promote stronger cybersecurity policies. HIPAA standards have since been adopted worldwide and enforced as federal law in the United States.
This article focuses on HIPAA statistics that are essential for all healthcare providers and institutions (including pharmacies, mental health institutions, and healthcare operation services) to know and learn about in regard to cybersecurity to prevent data breaches and lower their cyber risk.
Overview of Healthcare Data Breaches
HIPAA-related incidents have been rapidly growing in recent years. Healthcare organizations must adapt to changing threat landscapes to protect individual rights in the health sector and ensure privacy protections meet HIPAA and national standards.
Using data from past years, experts predict that the digital landscape of the healthcare sector will continue to face significant cyber threats.
Here are the common HIPAA violation-related trends:
- Roughly 95% of the US population had their medical information disclosed between 2009 and 2021.
- Every employee in a healthcare organization has access to nearly 20% of files.
- 88% of hackers that attack healthcare entities do so for financial reasons.
- 95% of all identity theft incidents come from stolen healthcare records. Such information is worth about 50 times more than credit card information.
- Around 75% of surveyed healthcare services stated that their cybersecurity infrastructure is largely unprepared for cyber threats and confirmed that their patient privacy and health data could be at risk.
Healthcare Sector Has the Highest Number of Security Breaches
Most breaches involve PHI (protected health information, also referred to as personal health information), which includes sensitive data of patients and doctors, laboratory test results, prescriptions, doctor visits, and vaccine results, or other personally identifiable patient information (PII) like names, addresses, emails, and social security numbers. It’s worth noting that PHI held by hospitals is usually in electronic form, also known as ePHI.
Important data breach statistics gathered from the HIPAA Journal, as well as other sources like Verizon, TechJury, OCR (Office for Civil Rights), insurance companies, law enforcement agencies, and other health information technology providers, show that healthcare providers need to prioritize their cybersecurity efforts or risk losing important data and incurring massive fines.
- 30% of all major data breaches are hospital-related.
- 67% of data breaches in healthcare organizations involve compromised medical information.
- 34% of healthcare data breaches come from unauthorized access or disclosure of PHI.
- Healthcare accounts for 79% of all reported breaches.
- 18% of teaching hospitals reported enduring a data breach.
- Malware attacks and IT-related incidents accounted for 67% of data breaches in the healthcare sector, and make up 92% of all breached medical records.
- Data breaches from exploited credentials require an average of 341 days to be contained and remediated.
- 6% of pediatric hospitals reported data breaches.
Exposed Medical Records Continue to Rise Rapidly Year-over-Year
Many hospitals and healthcare systems still operate with legacy technology, which puts them at extreme risk of a data breach. One of the most common HIPAA violations that healthcare systems are penalized for is failing to encrypt their digital devices because they still use outdated security policies.
In fact, many healthcare systems do not have any cybersecurity processes implemented, which could result in significant fines and punishments by the US Department of Health and Human Services (HHS).
- Over the past decade, nearly 4500 different data breaches have exposed 500 or more medical records.
- Data breaches have increased by an average of 25% year-over-year
- According to the US Healthcare Data Breach Report from the HIPAA journal, data breaches in both large and small hospitals and clinics have doubled in frequency since 2014.
- The average data breach took 212 days to identify and 75 days to contain in 2021.
One indicating factor of poorly secured systems is the rapidly increasing amount of patient and medical records that continue to be exposed.
- From 2010-2014, roughly 50 million patient records were exposed. In the following five years, this number quadrupled.
- In 2021 alone, approximately 45 million healthcare records were stolen or compromised. In 2022, this number will reach nearly 50 million records.
- 2015 was arguably the worst year for cyber healthcare security, with more than 133 million medical records exposed. This resulted from three devastating data breaches affecting major healthcare institutions like Anthem Inc., Premera Blue Cross, and the Excellus breach.
- In 2020, 39 prominent healthcare industries suffered a data breach, with 663 major data breaches.
- 2020 saw more than 29 million healthcare records exposed due to data breaches.
- In 2021, more than 57% of healthcare organizations suffered more than five data breaches.
- In 2021, there were 713 reported major data breaches affecting more than 45 million people, which is the highest number since the Anthem data breach of 2015 that impacted 80 million individuals.
- In February 2022, 46 healthcare data breaches were reported, which affected more than 2.5 million people — an 8% decrease in incidents in January.
- The HHS reports that there were 30 healthcare breaches in March 2022, which affected 1.4 million people.
Data Breaches Involving 500 or More Medical Records
- Between 2009 and 2021, the OCR received 4,419 data breach reports involving 500 or more medical records from US healthcare institutions, which disclosed approximately 314 million medical data items without written authorization.
- In 2018, there were almost two data breach occurrences per day involving more than 500 or more medical records.
- In 2020, there were 642 reported data breaches involving more than 500 or more medical records. In 2021, this number increased to 714 data breach reports involving 500 or more medical records, an average of 1.95 data breach reports per day.
- From March 2021 to February 2022, 723 data breaches involving 500 or more records were reported, a record number of data breaches within a 12-month period.
- In 2022, the average rate of reported data breaches involving 500 or more records was approximately two reports per day, nearly double the amount in 2018 (as of June 30, 2022).
Costs for Prevention are High, but HIPAA Penalties & Data Breach Costs are Even Higher
Because the digital age is still relatively new, many industries, especially healthcare, have yet to prioritize cybersecurity. Many organizations would rather invest in business operations or staffing over ensuring data security, but recent HIPAA Security Rule violations have shown that failing to protect patient data and failing to provide breach notifications can be extremely costly.
It’s almost important to highlight that health institutions that fail to enter business associate agreements (BAA) also risk significant HIPAA penalties.
- In 2020, security breaches reached over $6 trillion in damages alone. From 2020 to 2022, the healthcare sector saw approximately $25 billion in losses from cyber attacks.
- More than 60% of healthcare services state that risk assessment planning and costs are why they rely on their own cybersecurity guidelines rather than follow HIPAA compliance standards.
- 75% of the healthcare sector invests a mere 6% or less of its budget on IT security.
- In 2020, the healthcare industry's average cost of a data breach was $7.13 million. In 2021, data breaches cost healthcare clinics an average of $9.3 million, almost 30% higher than in 2020.
- The healthcare industry’s average total data breach cost surpassed $10 million in 2022, compared to $9.3 million in 2021, roughly a 9-10% increase.
- In 2021, the total lost business cost due to a data breach was approximately $1.6 million — nearly 38% of the global average cost of $4.24 million.
- As of November 2022, the Office for Civil Rights (OCR) has settled 126 cases of HIPAA violations for over $133 million.
- OCR has intervened in 52,000 cases and provided guidance to HIPAA-covered entities before investigations or penalties were needed.
Malware & Ransomware Attacks are Extremely Dangerous
Small clinics and state-level hospitals are at risk of data breaches resulting from ransomware attacks in which attackers compromise a hospital’s security, lockout systems, steal critical PHI data, and demand money for both the release of the systems and the data.
Bad actors then use the stolen medical data to commit healthcare fraud or sell to the dark web. Stealing healthcare data is a lucrative cybercrime, as it may be up to 50 times more profitable than exploiting credit card information on average.
- According to this Sophos report, more than 65% of healthcare services reported a ransomware attack in 2021, doubling from 2020, which reported 34%.
- In 2021, many healthcare-related cyber incidents involved ransomware attacks as the most common threat. The DOJ has recently dubbed ransomware attacks equal to terrorist attacks, strongly advising executives and IT security teams to properly communicate and work together to focus on preventing and dealing with ransomware attacks.
- The average ransomware payments in Q1 2022 were $211,259, down 34% compared to Q4 2021. Speculations are that hacker groups target smaller hospitals that have a higher chance of paying ransoms since they often have poor cybersecurity. Bigger attacks also involve more law enforcement and larger investigations.
- In Q1 2019, more than 85% of hospitals that were victims of ransomware attacks paid the required ransom. However, due to strong law enforcement recommendations not to pay the ransom, the number of hospitals that paid the ransom dropped to 46% in Q1 2022.
Employee Negligence Contributes to HIPAA Violations
Medical malpractice, human error, and a general lack of cybersecurity practices in handling medical records are other major factors that lead to HIPAA non-compliance violations and privacy law breaches. Not having strong data privacy practices is typically due to a lack of security training or education.
Improperly trained medical staff have difficulty recognizing malicious activities like phishing attempts, and are prone to misplacing, or improperly handling medical records and digital devices like phones or laptops. This results in the exposure of individually identifiable health information like patient information and social security numbers.
According to HIPAA, malpractice refers to the improper handling of medical data that results in critical health information privacy breaches. Negligent practices can be broken down into two types:
- Accidental negligence involving misplacement of medical records or improper disclosure of confidential PHI
- Malicious negligence involves the deliberate mishandling of PHI by disgruntled employees, often for personal gain. This can include a purposeful intention to sell, disclose, or view confidential data.
Both types of negligence are considered an insider threat, as long as they have access to electronic health records like ePHI (electronic protected health information) and misuse it, adversely impacting the healthcare provider.
In contrast to negligence, though, malicious use of medical records constitutes a more serious breach of HIPAA regulations, and bad actors may face imprisonment or other criminal penalties.
Here are some statistics relating to negligent insiders:
- Between 2016 and 2017, institutions accidentally mailing data to the wrong recipient led to more than 350,000 cases of PHI exposure.
- Accidental negligence is twice as likely to happen than malicious negligence.
- Negligent insiders account for more than 60% of all insider incidents and human errors.
- More than 25% of insider threats are related to the theft of bank credentials.
- In 2020, insider threat incidents involving accidental data loss and malicious disclosure increased by 47% compared to 2018.
- 22% of all healthcare cybersecurity incidents are due to insider threats.
- The four most common causes of healthcare data breaches were 1) compromised credentials, 2) phishing, 3) cloud misconfigurations, and 4) business email compromise (BEC).
How UpGuard Can Help Organizations Become HIPAA Compliant
Every healthcare institution needs to understand the importance of increasing cyber risks and how failing to secure data properly can result in significant financial, reputational, and operational damages. More importantly, patient privacy and confidential medical data have been violated and potentially exposed by the public and threat actors.
UpGuard helps healthcare organizations, healthcare providers, and all related business associates meet HIPAA compliance to help prevent data breaches from happening. UpGuard supports the healthcare industry by helping manage security postures and gain better visibility into third-party contractors using our industry-leading attack surface management and third-party monitoring software.