51 HIPAA Statistics Every Healthcare Entity Needs to Know in 2023

The HIPAA Privacy Rule (Health Insurance Portability and Accountability Act of 1996) is a healthcare cybersecurity framework that mandates security standards for all HIPAA-covered entities. HIPAA aims to protect patient information in the public health sector and promote stronger cybersecurity policies. HIPAA standards have since been adopted worldwide and enforced as federal law in the United States.

This article focuses on HIPAA statistics that are essential for all healthcare providers and institutions (including pharmacies, mental health institutions, and healthcare operation services) to know and learn about in regard to cybersecurity to prevent data breaches and lower their cyber risk.

Overview of Healthcare Data Breaches

HIPAA-related incidents have been rapidly growing in recent years. Healthcare organizations must adapt to changing threat landscapes to protect individual rights in the health sector and ensure privacy protections meet HIPAA and national standards.

Using data from past years, experts predict that the digital landscape of the healthcare sector will continue to face significant cyber threats.

Here are the common HIPAA violation-related trends:

Healthcare Sector Has the Highest Number of Security Breaches

According to the HIPAA Journal, the healthcare sector accounts for the highest number of security breaches compared to other industries.

Most breaches involve PHI (protected health information, also referred to as personal health information), which includes sensitive data of patients and doctors, laboratory test results, prescriptions, doctor visits, and vaccine results, or other personally identifiable patient information (PII) like names, addresses, emails, and social security numbers. It’s worth noting that PHI held by hospitals is usually in electronic form, also known as ePHI.

Important data breach statistics gathered from the HIPAA Journal, as well as other sources like Verizon, TechJury, OCR (Office for Civil Rights), insurance companies, law enforcement agencies, and other health information technology providers, show that healthcare providers need to prioritize their cybersecurity efforts or risk losing important data and incurring massive fines.

Learn how to implement a cybersecurity program for the healthcare industry >

Exposed Medical Records Continue to Rise Rapidly Year-over-Year

Many hospitals and healthcare systems still operate with legacy technology, which puts them at extreme risk of a data breach. One of the most common HIPAA violations that healthcare systems are penalized for is failing to encrypt their digital devices because they still use outdated security policies.

In fact, many healthcare systems do not have any cybersecurity processes implemented, which could result in significant fines and punishments by the US Department of Health and Human Services (HHS).

Learn how to choose the best healthcare attack surface management product >

One indicating factor of poorly secured systems is the rapidly increasing amount of patient and medical records that continue to be exposed.

Data Breaches Involving 500 or More Medical Records

  • Between 2009 and 2021, the OCR received 4,419 data breach reports involving 500 or more medical records from US healthcare institutions, which disclosed approximately 314 million medical data items without written authorization.
  • In 2018, there were almost two data breach occurrences per day involving more than 500 or more medical records.
  • In 2020, there were 642 reported data breaches involving more than 500 or more medical records. In 2021, this number increased to 714 data breach reports involving 500 or more medical records, an average of 1.95 data breach reports per day.
  • From March 2021 to February 2022, 723 data breaches involving 500 or more records were reported, a record number of data breaches within a 12-month period.
  • In 2022, the average rate of reported data breaches involving 500 or more records was approximately two reports per day, nearly double the amount in 2018 (as of June 30, 2022).

Learn about the 13 biggest healthcare data breaches >

Costs for Prevention are High, but HIPAA Penalties & Data Breach Costs are Even Higher

Because the digital age is still relatively new, many industries, especially healthcare, have yet to prioritize cybersecurity. Many organizations would rather invest in business operations or staffing over ensuring data security, but recent HIPAA Security Rule violations have shown that failing to protect patient data and failing to provide breach notifications can be extremely costly.

Learn more about HIPAA violation penalties >

It’s almost important to highlight that health institutions that fail to enter business associate agreements (BAA) also risk significant HIPAA penalties.

Learn more about the worst HIPAA violation cases >

Malware & Ransomware Attacks are Extremely Dangerous

Small clinics and state-level hospitals are at risk of data breaches resulting from ransomware attacks in which attackers compromise a hospital’s security, lockout systems, steal critical PHI data, and demand money for both the release of the systems and the data.

Bad actors then use the stolen medical data to commit healthcare fraud or sell to the dark web. Stealing healthcare data is a lucrative cybercrime, as it may be up to 50 times more profitable than exploiting credit card information on average.

  • According to this Sophos report, more than 65% of healthcare services reported a ransomware attack in 2021, doubling from 2020, which reported 34%.
  • In 2021, many healthcare-related cyber incidents involved ransomware attacks as the most common threat. The DOJ has recently dubbed ransomware attacks equal to terrorist attacks, strongly advising executives and IT security teams to properly communicate and work together to focus on preventing and dealing with ransomware attacks.
  • The average ransomware payments in Q1 2022 were $211,259, down 34% compared to Q4 2021. Speculations are that hacker groups target smaller hospitals that have a higher chance of paying ransoms since they often have poor cybersecurity. Bigger attacks also involve more law enforcement and larger investigations.
  • In Q1 2019, more than 85% of hospitals that were victims of ransomware attacks paid the required ransom. However, due to strong law enforcement recommendations not to pay the ransom, the number of hospitals that paid the ransom dropped to 46% in Q1 2022.

Learn how to choose a healthcare cyber risk remediation product >

Employee Negligence Contributes to HIPAA Violations

Medical malpractice, human error, and a general lack of cybersecurity practices in handling medical records are other major factors that lead to HIPAA non-compliance violations and privacy law breaches. Not having strong data privacy practices is typically due to a lack of security training or education.

Improperly trained medical staff have difficulty recognizing malicious activities like phishing attempts, and are prone to misplacing, or improperly handling medical records and digital devices like phones or laptops. This results in the exposure of individually identifiable health information like patient information and social security numbers.

Learn how to choose an ideal HIPAA compliance product >

According to HIPAA, malpractice refers to the improper handling of medical data that results in critical health information privacy breaches. Negligent practices can be broken down into two types:

  • Accidental negligence involving misplacement of medical records or improper disclosure of confidential PHI
  • Malicious negligence involves the deliberate mishandling of PHI by disgruntled employees, often for personal gain. This can include a purposeful intention to sell, disclose, or view confidential data.

Both types of negligence are considered an insider threat, as long as they have access to electronic health records like ePHI (electronic protected health information) and misuse it, adversely impacting the healthcare provider.

In contrast to negligence, though, malicious use of medical records constitutes a more serious breach of HIPAA regulations, and bad actors may face imprisonment or other criminal penalties.

Here are some statistics relating to negligent insiders:

Learn more about the most common HIPAA violations >

How UpGuard Can Help Organizations Become HIPAA Compliant

Every healthcare institution needs to understand the importance of increasing cyber risks and how failing to secure data properly can result in significant financial, reputational, and operational damages. More importantly, patient privacy and confidential medical data have been violated and potentially exposed by the public and threat actors.

UpGuard helps healthcare organizations, healthcare providers, and all related business associates meet HIPAA compliance to help prevent data breaches from happening. UpGuard supports the healthcare industry by helping manage security postures and gain better visibility into third-party contractors using our industry-leading attack surface management and third-party monitoring software.

Ready to see
UpGuard in action?