Last Updated: November 6, 2021
Are you concerned about your data security and privacy?
Have people accessed your information in a large-scale data breach like Target, Experian, or Anthem?
How would you even know?
Healthcare data breaches statistics can answer that very question. You will now read a carefully picked list of the most important stats on the matter. Knowing those will make you more competent than 99% of people.
Healthcare data breaches have been rampant over the past several years. Just over the last decade, there have been over 2,550 data breaches with millions of records being affected. Even though none of them ranks among the biggest data breaches, the nature of the stolen information makes them considerably more serious than most.
This makes it kind of likely that if you’ve ever been in a hospital, you may have had some personal information stolen.
Alright, so let me ask you the following – what is a security breach in healthcare?
Healthcare Data Breaches Statistics
- Hospitals account for 30% of all large data breaches.
- More than 2100 healthcare data breaches have been reported in the US since 2009.
- 18% of teaching hospitals reported that they had experienced a data breach.
- 6% of pediatric hospitals reported data breaches.
- There is a 75.6% chance of a breach of at least five million records in the next year.
- 34% of healthcare data breaches come from unauthorized access or disclosure.
- By the end of 2020, security breaches cost $6 trillion dollars for healthcare companies.
- Nearly 80 million people were affected by the Anthem Breach.
Data suggests that the larger the hospital, the greater the chance of a data breach occurring. That’s partly due to smaller hospitals attracting less attention from hackers.
While people are well aware of the need for improved security, the sheer amount of data breaches will come as a shock to many.
That said, let’s start with the latest data from 2021.
Alarming Healthcare Data Breaches Statistics for 2021
39 high profile breaches took place only for a month in 2020 alone in the healthcare industry and in total, cost this sector around $6 trillion.
Here’s more on healthcare data breaches statistics in 2021:
1. By the end of 2020, security breaches cost $6 trillion dollars for healthcare companies.
This is quite a rise in the $3 trillion figure which was published back in 2017, making it one of the largest ‘transfers of wealth’ ever known. It is also highlighting the continual need for proper cybersecurity in this sector. At least, that’s what healthcare data breaches stats in 2021 reveal.
2. The healthcare industry is expected to spend around $65 billion on cybersecurity between 2017 and 2021.
(Source: HERJAVEC GROUP)
This is perhaps an appropriate response, considering that data breaches in the healthcare sector are becoming much more commonplace. This and the fact that some doctors have even resorted to turning away patients as a precaution.
3. 1,531,855 records were breached across 39 healthcare data breaches in February 2020 alone.
(Source: HIPAA Journal)
Worryingly, this represents a 21.9% month-on-month increase with the total number of breached records increasing by 231%. This means that in the last three months combined, more records were breached in February alone, according to information on healthcare data breaches in 2020.
4. Ransomware attacks were expected to quadruple between 2017 and 2020.
(Source: CYBERCRIME MAGAZINE)
They are also expected to grow five times by 2021. This is according to a report containing a number of healthcare cybersecurity statistics for 2020 by Cybersecurity Ventures. It was also revealed that the majority of cyberattacks in hospitals start with spear-phishing emails used to infect these settings with ransomware.
5. The most popular targets among hackers are the healthcare and finance industry, at 15% and 10% respectfully.
In fact, according to healthcare cybersecurity stats for 2021, the healthcare sector alone lost $25 billion alone last year. The report, released by Singapore-based Cyber Risk Management (CyRiM) believes healthcare will be one of the industries most affected by hackers.
General Healthcare Data Breaches Statistics
Let’s continue with some more important stats that prove how big the problem is.
6. In 2020, data breaches affected 26.4 million records in the US alone.
The number of targets on healthcare IT resources has been rising since 2018. In 2020, breaches cost the industry over $13 billion.
According to US healthcare data breaches statistics, there were 599 breaches in 2020. The privacy violations affected over 26 million records, compromising 92% of them.
7. It has been estimated that lost or stolen PHI may cost the US healthcare industry up to US$7 billion annually.
PHI stands for protected health information and the lack of security around it has resulted in a startling monetary loss. Healthcare breaches data statistics can put things in perspective – hopefully, one that willl allow us to manage the situation.
8. There is a 75.6% chance of a breach of at least five million records in the next year.
(Source: Journal of Cybersecurity)
The probability of breaches of this magnitude is astounding to someone, unaware of the trends. What’s probably even more astounding is that such a breach would not necessarily be surprising at all, considering the amount of breached records over the last few years.
9. There is a 25.7% chance of another Anthem-sized breach (80+ million records) within the next three years.
(Source: Journal of Cybersecurity)
The news of the Anthem breach faded as quickly as it surfaced. Security breaches in healthcare do happen quite often nowadays. Some hope it would take a breach of this magnitude before those responsible can start addressing the issue.
10. Between 60 and 80% of data breaches go unreported.
While this statistic isn’t specific to healthcare data breaches, it still puts things in perspective. The figure for breaches related to medical institutions is likely to be similar.
11. Healthcare data breach costs highest of any industry at $408 per record.
(Source: HIPAA Journal)
Healthcare data breaches stats put this number further into context. Millions of records are breached each year, leading to astronomical costs when you draw the line.
12. 47% of healthcare data breaches come from hackers or various IT incidents.
(Source: Electronic Health Reporter)
Don’t go blaming the IT guy just yet. Many hospitals still use outdated data systems and structures that need significant rehauling. Only then would a hospital be able to deploy effective security measures and bring down these data breaches in healthcare to a minimum. The prevalence of hackers only confirms the absence of real security.
13. 34% of healthcare data breaches come from unauthorized access or disclosure.
(Source: Kays Harbor)
Up 162% over the past three years, unauthorized access is already a massive issue. Nevertheless, it is still growing at an astounding rate.
14. Negligent breaches happen twice as often as malicious ones.
(Source: JOCS Vol. 2 Iss. 1)
Negligent breaches are defined as those that occur as a result of internal mistakes. In fact, 66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks. In contrast, external forces like hacking would fall into the “malicious” category. The study found that over 1400 breaches were negligent and about 700 were malicious. Healthcare hacks are a great threat, and human negligence is responsible for a big part of why that is.
15. 39% of healthcare organizations became aware of a breach months after it happened.
If a breach should occur, the hope is that it is quickly discovered in order to limit or even prevent any damage. With 39% of breaches taking months or more to be discovered, hackers have plenty of time to do their thing while the victims are unaware of the trespass.
16. Healthcare data breaches stats show while only 15% of data breaches in different industries are defined as theft and loss, 32% of healthcare ones fit into this category.
(Source: Health Care Dive)
Given the state of cybersecurity and technology in medicine, this stat shouldn’t come as a surprise. Say a thief wanted to steal $10,000 from a guarded BRINKS truck, but later saw $100,000 sitting in an unguarded, locked room. Which would the thief choose? The easier target, of course. Healthcare just happens to be that easy target in this case.
17. In 2020, the number of insider threats grew to 4,716.
There are a lot of reasons why employees expose a company to hacking, including greed, carelessness, or revenge. Over the last two years, data breaches by staff members increased by almost 50%.
18. 24% of physicians couldn’t identify the common signs of malware.
(Source: Digital Guardian)
This could be due to the age of many medical professionals. Older generations have a more difficult time adapting to new tech. As a result, they’re less aware of how cyber attacks work, how to spot the different types of malware, and how to neutralize them.
19. In 2020, healthcare suffered close to 240 million hacking attempts.
(Source: Security Magazine)
Healthcare data breaches stats show that 2020 saw a lot of hacking attempts. Cerber accounted for 58% of the threats. It holds files hostage and demands money for their release.
The second most common ransomware was Sodinokibi, with 16%. This one is harder to detect. VBCrypt that targets Windows wasn’t that far behind with 14%. Though still dangerous, it wasn’t able to spread on its own.
20. Nearly 80 million people were affected by the Anthem Breach.
When was the Anthem breach? This breach occurred on February 4th, 2015, but was only discovered a few weeks later. Anthem later settled for $116 million, while admitting no wrongdoing. If you look at this settlement as “price per person affected” the total comes out at $1.45 per affected record. This makes it seem like Anthem got away too easily.
21. The healthcare industry invests less than 6% of its budget on cybersecurity.
(Source: Healthcare IT News)
The US spends 16% of its federal budget on cybersecurity, for comparison. The healthcare industry, more than any I can think of, could do well to put extra effort into solving these issues.
22. 88% of healthcare workers opened phishing emails.
(Source: Reliable IT MSP)
Phishing is a common way for data thieves to pull off attacks. Naturally, a decent part of health information security breaches takes place because of hackers using this approach. Of course, just because healthcare workers opened these emails doesn’t mean all of them fell prey to these attempts. Still, it raises a red flag when such emails are finding their way through to the workers.
23. 50% of doctors were in the “risk” category, making them likely to commit a serious data breach.
Perhaps the change should start by educating doctors and future medical professionals on proper data security measures. Half of the doctors being in the risk category translates into an extremely high chance of breach – one that no cybersecurity specialist can prevent.
24. Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.
This shows how valuable medical records are when compared to those of other industries. Most sources of records are often incomplete, therefore insufficient for the purposes of identity theft. This makes healthcare a prime target as their records contain a wealth of information – enough for a potential identity thief. Healthcare cybersecurity statistics from 2018 are not promising, but hopefully, the right people will know how to use this information to turn the tide.
25. Tenable Network Security’s cybersecurity report gave the healthcare industry a grade of 54% when it came to cybersecurity assurance.
(Source: Tenable Network Security)
The only passing grade given, which is a C or above, was given to healthcare data centers. Data centers are often run by independent data and cybersecurity professionals, leading to a better score. Keep in mind if we decide to only evaluate medical professionals, we will likely come up with an even lower score.
26. Healthcare cybersecurity roles take 70% longer to fill compared to IT jobs in other industries.
(Source: Info Security)
In a survey to understand why health information security breaches keep occurring, researchers found that talent shortage in the sector could be a huge contributor. The findings show that these roles take 70% longer to fill on average.
27. Healthcare data breaches in the US fell by 48% in January 2021.
(Source: Hipaa Journal)
In January 2021, healthcare in America saw a nearly 50% reduction in data breaches compared to the month prior. It dropped from 62 in December 2020 to 32 in January 2021.
That translates to about one incident per day, which is a huge improvement compared to 2020. In the last year, September had the highest number of data breaches at 95, translating to about three per day.
28. Security hacks could rise by close to 10% in 2021.
70% of corporations live in fear of insider threats. Experts predict the cases will go up by almost 10% in 2021 alone.
Here’s healthcare data breaches list for 2020:
- Stradis Healthcare – the previous vice president deleted and modified records that cost the company $5000 to restore.
- The Amazon insider trading – a manager made over $1 million from disclosing the organization’s private data to family members.
- In an attempted hack, a Tesla employee rejected a $1,000,000 offer to install malware into its network.
- Shopify’s abuse of access rights by two support employees resulted in a 1.27% drop in the stock price.
- The social engineering hack that stole Twitter employee credentials, gaining access to its administrative tool. The hackers made away with $180 000 leading to a stock price reduction of 4%.
29. Around 50% of healthcare organizations and their business associates have not increased their cybersecurity budgets in the last year. About 10% even lowered spending on security.
(Source: Identity Experts Corp.)
This is probably an indication most of these organizations are not aware of healthcare data breaches statistics. Despite the issues they’re facing, many organizations are not even trying to modernize. Instead, apparently, most of them choose to pretend as if they won’t be responsible for the next data breach.
You already know how big the problem is. But these numbers paint only half of the picture. That’s why we’ve prepared a list of the biggest data breaches in healthcare to show you some real-life examples.
The Largest Healthcare Data Breaches in History
We’ve seen the numbers. Now, let’s see the cases:
1. Anthem Blue Cross
(Source: Digital Guardian)
Impact: 78.8 million patient records stolen
Perhaps one of the biggest healthcare data security breaches. A total of 78.8 million patient records were stolen. Although this sounds bad enough, the type of data taken was highly sensitive and included records like social security numbers, dates of birth, and address. Despite most victims being Anthem plan members, some were not. This is because Anthem also worked with a number of independent insurance companies, managing their paperwork as well.
2. Premera Blue Cross
(Source: New York Times)
Impact: 11+ million people
Premera Blue Cross experienced a cyberattack in the middle of March 2015. 11 million customers might have been affected as attackers managed to access financial and medical data as well as dates of birth and social security numbers.
So why might this attack have occurred? It’s because information like this is very valuable to criminals for crimes like insurance fraud.
3. Excellus BlueCross BlueShield
(Source: USA Today)
Impact: 10 million people
Although it was 2015 when Excellus found out about this patient data breach, the campaign had, in fact, been going on for two whole years. This was worrying, as potentially, hackers might have been able to access all patient records. Hackers stole the usual data they go for, along with other information like financial payment, claims details, and even credit card numbers.
Impact: 4.9 million patients affected
Late 2011 saw a huge data breach of medical and personal data for both families and military patients. Unusually, the breach occurred when a data contractor was transferring records from one facility to another. When the vehicle was parked and unattended, the records were stolen. As well as the usual personal details you’d expect, information on the tapes also included prescriptions, clinical notes, and lab test data. Luckily, they contained no financial information.
5. University of California, Los Angeles Health
(Source: LA Times)
Impact: 4.5 million patients affected
Another one on the healthcare data breaches list. Someone hacked the UCLA Health System’s computer network, providing 4.5 million patient records exposed. They exposed highly confidential information like health plan identification numbers, patient procedures, and diagnoses. They also leaked sensitive records like social security numbers, dates of birth, and names.
What Does the Future Hold?
There are many talks of blockchain applications in healthcare and the security boost. In fact, the total spending on integrating blockchain into healthcare will rise to $5.61 billion by 2025. Still, so far the healthcare data of the vast majority of people is a highly lucrative sitting duck.
Unfortunately, you and I can’t save the healthcare sector. However, we can still protect our own data. That’s why we suggest using an antivirus solution for malware protection, a VPN service to keep your data private, and a password manager for encrypted password storage. The set of these three software can do wonders in terms of cybersecurity.
Stay safe and we’ll see you next time!
When an individual, either known to the organization or outside it, discloses sensitive patient data, either by accident or on purpose.
Last year in the US alone, there were just over four data breaches per day, according to healthcare data breaches statistics.
Hacking or IT incidents, unauthorized access, theft of equipment or paper records, loss of equipment or records containing sensitive information, and improper data disposal.
They may have a negative effect on patient mortality as care practices can be greatly disrupted after the event due to post-data breach recovery activities.
- HERJAVEC GROUP
- HIPAA Journal
- Cybercrime Magazine
- Verizon (pdf)
- Digital Guardian
- New York Times
- USA Today
- LA Times
- Privacy Rights
- HIPAA Journal
- Electronic Health Reporter
- Kays Harbor
- Oxford Academic
- Healthcare Dive
- Digital Guardian
- Security Magazine
- Healthcare IT News
- Reliable IT MSP
- Becker ASC
- Identity Experts Corp
- Info Security
- Hipaa Journal