Last Updated: March 29, 2021
Are you concerned about your data security and privacy?
Has your information ever been accessed in a large-scale data breach like Target, Experian, or Anthem?
How would you even know?
Healthcare data breaches statistics can answer that very question. What you’ll read in the next few minutes is a carefully picked list of the most important statistics on the matter. Knowing those will make you more competent on the matter than 99% of people.
Healthcare data breaches have been rampant over the past several years. Just over the last decade, there have been over 2,550 data breaches with millions of records being affected. Even though none of them ranks among the biggest data breaches, the nature of the stolen information makes them considerably more serious than most.
This makes it kind of likely that if you’ve ever been in a hospital, you may have had some personal information stolen.
Alright, so let me ask you the following – what is a security breach in healthcare?
Healthcare Data Breaches Statistics
- Hospitals account for 30% of all large data breaches.
- More than 2100 healthcare data breaches have been reported in the US since 2009.
- 18% of teaching hospitals reported that they had experienced a data breach.
- 6% of pediatric hospitals reported data breaches.
- There is a 75.6% chance of a breach of at least five million records in the next year.
- 34% of healthcare data breaches come from unauthorized access or disclosure.
- By the end of 2020, it was expected that security breaches could cost $6 trillion dollars for healthcare companies.
- Nearly 80 million people were affected by the Anthem Breach.
Data suggests that the larger the hospital, the greater the chance of a data breach occurring. That’s partly due to smaller hospitals attracting less attention from hackers.
While people are well aware of the need for improved security, the sheer amount of data breaches will come as a shock to many.
That said, let’s start with the latest data from 2021.
Alarming Healthcare Data Breaches Statistics in 2021
39 high profile breaches took place in February 2020 alone in the healthcare industry and in total, could cost this sector $6 trillion.
Here’s more on healthcare data breaches statistics in 2021:
1. By the end of 2020, it was expected that security breaches could cost $6 trillion dollars for healthcare companies.
This is quite a rise in the $3 trillion figure which was published back in 2017, making it one of the largest ‘transfers of wealth’ ever known. It is also highlighting the continual need for proper cybersecurity in this sector. At least, that’s what healthcare data breaches stats in 2020 revealed.
2. The healthcare industry is expected to spend around $65 billion on cybersecurity between 2017 and 2021.
(Source: HERJAVEC GROUP)
This is perhaps an appropriate response, considering that data breaches in the healthcare sector are becoming much more commonplace. This and the fact that some doctors have even resorted to turning away patients as a precaution.
3. 1,531,855 records were breached across 39 healthcare data breaches in February 2020 alone.
(Source: HIPAA Journal)
Worryingly, this represents a 21.9% month-on-month increase with the total number of breached records increasing by 231%. This means that in the last three months combined, more records were breached in February alone, according to information on healthcare data breaches in 2020.
4. Ransomware attacks were expected to quadruple between 2017 and 2020.
(Source: CYBERCRIME MAGAZINE)
They are also expected to grow five times by 2021. This is according to a report containing a number of healthcare cybersecurity statistics for 2020, written by Cybersecurity Ventures. It was also revealed that the majority of cyberattacks in hospitals start with ‘spear-phishing’ emails used to infect these settings with ransomware.
5. The most popular targets among hackers are the healthcare and finance industry, at 15% and 10% respectfully.
In fact, according to healthcare cybersecurity stats for 2020, the healthcare sector alone lost $25 billion alone last year. The report, released by Singapore based Cyber Risk Management (CyRiM) believes healthcare will be one of the worst affected industries by hackers.
General Healthcare Data Breaches Statistics
Let’s continue with some more important stats that prove how big the problem is.
6. 7.9 billion records were breached in 2019 by September.
(Source: Help Net Security, Norton)
That was a 33.3% increased compared to 2018. The statistics show that from August, 2018 to March, 2019 more than 20 million records were leaked in healthcare data breaches. This showed us we need to give even more serious consideration to protecting our privacy.
7. It has been estimated that lost or stolen PHI may cost the US healthcare industry up to US$7 billion annually.
PHI stands for protected health information and the lack of security around it has resulted in a startling monetary loss. Healthcare breaches data statistics can put things in perspective – hopefully one that willl allow us to manage the situation.
8. There is a 75.6% chance of a breach of at least five million records in the next year.
(Source: Journal of Cybersecurity)
The probability of breaches of this magnitude is astounding to someone, unaware of the trends. What’s probably even more astounding is that such a breach would not necessarily be surprising at all, considering the amount of breached records over the last few years.
9. There is a 25.7% chance of another Anthem sized breach (80+ million records) within the next three years.
(Source: Journal of Cybersecurity)
The news of the Anthem breach faded as quickly as it surfaced. Security breaches in healthcare do happen quite often nowadays. Some hope it would take a breach of this magnitude before those responsible can start addressing the issue.
10. Between 60 and 80% of data breaches go unreported.
While this statistic isn’t specific to healthcare data breaches, it still puts things in perspective. The figure for breaches related to medical institutions is likely to be similar.
11. Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record.
(Source: HIPAA Journal)
Healthcare data breaches stats put this number further into context. Millions of records are breached each year, leading to astronomical costs when you draw the line.
12. 47% of healthcare data breaches come from hackers or various IT incidents.
(Source: Electronic Health Reporter)
Don’t go blaming the IT guy just yet. Many hospitals still use outdated data systems and structures that need significant rehauling. Only then would a hospital be able to deploy effective security measures and bring down these data breaches in healthcare to a minimum. The prevalence of hackers only confirms the absence of real security.
13. 34% of healthcare data breaches come from unauthorized access or disclosure.
(Source: Kays Harbor)
Up 162% over the past three years, unauthorized access is already a massive issue. Nevertheless, it is still growing at an astounding rate.
14. Negligent breaches happen twice as often as malicious ones.
(Source: JOCS Vol. 2 Iss. 1)
Negligent breaches are defined as those that occur as a result of internal mistakes. In contrast, external forces like hacking would fall into the “malicious” category. The study found that over 1400 breaches were negligent and about 700 were malicious. Healthcare hacks are a great threat, and human negligence is responsible for a big part of why that is.
15. 56% of incidents in 2015 were discovered within several days. Still, months or more went by before 39% of the studied healthcare organizations became aware of the breach.
If a breach should occur, the hope is that it is quickly discovered in order to limit or even prevent any damage. With 39% of breaches taking months or more to be discovered, hackers have plenty of time to do their thing while the victims are unaware of the trespass.
16. Healthcare data breaches stats show while only 15% of data breaches in different industries are defined as theft and loss, 32% of healthcare ones fit into this category.
(Source: Health Care Dive)
Given the state of cybersecurity and technology in medicine, this stat shouldn’t come as a surprise. Say a thief wanted to steal $10,000 from a guarded BRINKS truck, but later saw $100,000 sitting in an unguarded, locked room. Which would the thief choose? The easier target, of course. Healthcare just happens to be that easy target in this case.
17. Insider and privilege misuse accounted for 23% of security incidents in 2016.
Insider and privilege misuse is often a result of disgruntled employees or ex-employees who seek gain or revenge (or both). They use their access rights to steal confidential information for personal financial gain. There are also cases of collusion of insiders with external third parties. Hospital data breaches can be alleviated by applying more stringent rules around privileged access.
18. 24% of physicians couldn’t identify the common signs of malware.
(Source: Digital Guardian)
This could be due to the age of many medical professionals. Older generations have a more difficult time adapting to new tech. As a result, they’re less aware of how cyber attacks work and how to neutralize them.
19. The healthcare industry was the victim of 88% of all ransomware attacks in the US in 2016.
Ransomware attacks are becoming more common as hackers find more ways to hold entire systems hostage. Hackers can lock the approved users out of the system as well as collect and hold data captive until their demands are met.
20. Nearly 80 million people were affected by the Anthem Breach.
When was the Anthem breach? This breach occurred on February 4th, 2015, but was only discovered a few weeks later. Anthem later settled for 116 million dollars, while admitting no wrongdoing. If you look at this settlement as “price per person affected” the total comes out at $1.45 per affected record. This makes it seem like Anthem got away too easily.
21. The healthcare industry invests less than 6% of its budget on cybersecurity.
(Source: Healthcare IT News)
The US spends 16% of its federal budget on cybersecurity, for comparison. The healthcare industry, more than any I can think of, could do well to put extra effort into solving these issues.
22. 88% of healthcare workers opened phishing emails.
(Source: Reliable IT MSP)
Phishing is a common way for data thieves to pull off attacks. Naturally, a decent part of health information security breaches takes place because of hackers using this approach. Of course, just because healthcare workers opened these emails doesn’t mean all of them fell prey to these attempts. Still, it raises a red flag when such emails are finding their way through to the workers.
23. 50% of doctors were in the “risk” category, making them likely to commit a serious data breach.
Perhaps the change should start by educating doctors and future medical professionals on proper data security measures. Half of the doctors being in the risk category translates into an extremely high chance of breach – one that no cyber security specialist can prevent.
24. Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.
This shows how valuable medical records are when compared to those of other industries. Most sources of records are often incomplete, therefore insufficient for the purposes of identity theft. This makes healthcare a prime target as their records contain a wealth of information – enough for a potential identity thief. Healthcare cybersecurity statistics from 2018 are not promising, but hopefully the right people will know how to use this information to turn the tide.
25. Tenable Network Security’s cybersecurity report gave the healthcare industry a grade of 54% when it came to cyber security assurance.
(Source: Tenable Network Security)
The only passing grade given, which is a C or above, was given to healthcare data centers. Data centers are often run by independent data and cybersecurity professionals, leading to a better score. Keep in mind if we decide to only evaluate medical professionals, we will likely come up with an even lower score.
26. Around 50% of healthcare organizations and their business associates have not increased their cybersecurity budgets in the last year. About 10% even lowered spending on security.
(Source: Identity Experts Corp.)
This is probably an indication most of these organizations are not aware of healthcare data breaches statistics. Despite the issues they’re facing, many organizations are not even trying to modernize. Instead, apparently most of them choose to pretend as if they won’t be responsible for the next data breach.
You already know how big the problem is. But these numbers paint only half of the picture. That’s why we’ve prepared a list of the biggest data breaches in healthcare to show you some real-life examples.
The Largest Healthcare Data Breaches in History
We’ve seen the numbers. Now, let’s see the cases:
1. Anthem Blue Cross
(Source: Digital Guardian)
Impact: 78.8 million patient records stolen
Perhaps one of the biggest healthcare data security breaches. A total of 78.8 million patient records were stolen. Although this sounds bad enough, the type of data taken was highly sensitive and included records like social security numbers, dates of birth, and address. Despite most victims being Anthem plan members, some were not. This is because Anthem also worked with a number of independent insurance companies, managing their paperwork as well.
2. Premera Blue Cross
(Source: New York Times)
Impact: 11+ million people
Premera Blue Cross experienced a cyberattack in the middle of March 2015. 11 million customers might have been affected as attackers managed to access financial and medical data as well as dates of birth and social security numbers.
So why might this attack have occurred? It’s because information like this is very valuable to criminals for crimes like insurance fraud.
3. Excellus BlueCross BlueShield
(Source: USA Today)
Impact: 10 million people
Although it was 2015 when Excellus found out about this patient data breach, the campaign had, in fact, been going on for two whole years. This was worrying, as potentially, hackers might have been able to access all patient records. Aside from the usual data valuable to hackers, other information like financial payment, claims details, and even credit card numbers were stolen.
Impact: 4.9 million patients affected
Late 2011 saw a huge data breach of medical and personal data for both families and military patients. Unusually, the breach occurred when a data contractor was transferring records from one facility to another. When the vehicle was parked and unattended, the records were stolen. As well as the usual personal details you’d expect, information on the tapes also included prescriptions, clinical notes, and lab test data. Luckily, no financial information was contained in them.
5. University of California, Los Angeles Health
(Source: LA Times)
Impact: 4.5 million patients affected
Another one on the healthcare data breaches list. The UCLA Health System’s computer network was hacked, providing 4.5 million patient records exposed. Highly confidential information like health plan identification numbers, patient procedures, and diagnoses were revealed, along with other sensitive records like social security numbers, dates of birth, and names.
What Does the Future Hold?
There are many talks of blockchain applications in healthcare and the security boost. In fact, the total spending on integrating blockchain into healthcare will rise to $5.61 billion by 2025. Still, so far the healthcare data of the vast majority of people is a highly lucrative sitting duck.
Unfortunately, you and I can’t save the healthcare sector. However, we can still protect our own data. That’s why we suggest using an antivirus solution for malware protection, a VPN service to keep your data private, and a password manager for encrypted password storage. These three tiny apps can do wonders in terms of cybersecurity.
Stay safe and we’ll see you next time!
When an individual, either known to the organization or outside it, discloses sensitive patient data, either by accident or on purpose.
Last year in the US alone, there were just over four data breaches per day, according to healthcare data breaches statistics.
Hacking or IT incidents, unauthorized access, theft of equipment or paper records, loss of equipment or records containing sensitive information, and improper data disposal.
They may have a negative effect on patient mortality as care practices can be greatly disrupted after the event due to post data breach recovery activities.
- HERJAVEC GROUP
- HIPAA Journal
- Cybercrime Magazine
- Verizon (pdf)
- Digital Guardian
- New York Times
- USA Today
- LA Times
- Help Net Security
- Privacy Rights
- HIPAA Journal
- Electronic Health Reporter
- Kays Harbor
- Oxford Academic
- Healthcare Dive
- Digital Guardian
- Healthcare IT News
- Reliable IT MSP
- Becker ASC
- Identity Experts Corp