Updated · Jan 27, 2023
Are you concerned about your data security and privacy?
Have people accessed your information in a large-scale data breach like Target, Experian, or Anthem?
How would you even know?
Healthcare data breaches statistics can answer that very question. You will now read a carefully picked list of the most important stats on the matter. Knowing those will make you more competent than 99% of people.
Healthcare data breaches have been rampant over the past several years. Just over the last decade, there have been over 2,550 data breaches with millions of records being affected. Even though none of them ranks among the biggest data breaches, the nature of the stolen information makes them considerably more serious than most.
This makes it kind of likely that if you’ve ever been in a hospital, you may have had some personal information stolen.
Alright, so let me ask you the following - what is a security breach in healthcare?
Healthcare Data Breaches Statistics
- Hospitals account for 30% of all large data breaches.
- More than 2100 healthcare data breaches have been reported in the US since 2009.
- 18% of teaching hospitals reported that they had experienced a data breach.
- 6% of pediatric hospitals reported data breaches.
- There is a 75.6% chance of a breach of at least five million records in the next year.
- 34% of healthcare data breaches come from unauthorized access or disclosure.
- By the end of 2020, security breaches cost $6 trillion dollars for healthcare companies.
- Nearly 80 million people were affected by the Anthem Breach.
Data suggests that the larger the hospital, the greater the chance of a data breach occurring. That’s partly due to smaller hospitals attracting less attention from hackers.
While people are well aware of the need for improved security, the sheer amount of data breaches will come as a shock to many.
That said, let's start with the latest data from 2022.
Alarming Healthcare Data Breaches Statistics for 2023
39 high profile breaches took place only for a month in 2020 alone in the healthcare industry and in total, cost this sector around $6 trillion.
Here’s more on healthcare data breaches statistics in 2022:
1. In 2021, data breaches in healthcare cost businesses an average of $9.3 million per incident.
That’s a 29.5% rise compared to 2020.
All other industries had a combined median loss of $3.86 million in 2020 and $4.24 million in 2021. That makes healthcare’s damages 2 to 3 times higher compared to other sectors.
2. 95% of identity theft comes from stolen healthcare records.
(Source: Globe NewsWire )
Healthcare has the highest number of security breaches. This is no surprise, as stealing data from medical records is among the easiest ways to commit identity theft. In fact, this form of menace in healthcare is 25 times higher than with credit cards.
3. There were 46 data breaches in February 2022.
(Source: HIPAA Journal)
Healthcare cybersecurity statistics for 2022 reveal that incidents fell by 8% in February 2022 compared to January 2022. Nonetheless, these 46 incidents affected a whopping 2.5 million people.
4. The average ransomware payout in Q1 2022 is $211,259.
According to healthcare data breach statistics for 2022, ransomware payments went down by 34% compared to the fourth quarter of 2021. This may be due to hackers targeting smaller organizations and demanding lower payments, as attacks on large enterprises bring more serious investigations.
5. The most popular targets among hackers are the healthcare and finance industry, at 15% and 10% respectfully.
In fact, according to healthcare cybersecurity stats for 2022, the healthcare sector alone lost $25 billion alone last two years. The report, released by Singapore-based Cyber Risk Management (CyRiM) believes healthcare will be one of the industries most affected by hackers.
General Healthcare Data Breaches Statistics
Let's continue with some more important stats that prove how big the problem is.
6. Data breaches exposed at least 42 million records between March 2021 and February 2022.
According to healthcare data breach statistics for 2022, hackers exposed around 4.1 million records in March 2021 and 2.2 million in February 2022 – a reduction of roughly 1.8 million.
7. It has been estimated that lost or stolen PHI may cost the US healthcare industry up to US$7 billion annually.
PHI stands for protected health information and the lack of security around it has resulted in a startling monetary loss. Healthcare breaches data statistics can put things in perspective - hopefully, one that willl allow us to manage the situation.
8. There is a 75.6% chance of a breach of at least five million records in the next year.
(Source: Journal of Cybersecurity)
The probability of breaches of this magnitude is astounding to someone, unaware of the trends. What’s probably even more astounding is that such a breach would not necessarily be surprising at all, considering the amount of breached records over the last few years.
9. There is a 25.7% chance of another Anthem-sized breach (80+ million records) within the next three years.
(Source: Journal of Cybersecurity)
The news of the Anthem breach faded as quickly as it surfaced. Security breaches in healthcare do happen quite often nowadays. Some hope it would take a breach of this magnitude before those responsible can start addressing the issue.
10. Between 60 and 80% of data breaches go unreported.
While this statistic isn’t specific to healthcare data breaches, it still puts things in perspective. The figure for breaches related to medical institutions is likely to be similar.
11. Healthcare data breach costs highest of any industry at $408 per record.
(Source: HIPAA Journal)
Healthcare data breaches stats put this number further into context. Millions of records are breached each year, leading to astronomical costs when you draw the line.
12. 47% of healthcare data breaches come from hackers or various IT incidents.
(Source: Electronic Health Reporter)
Don’t go blaming the IT guy just yet. Many hospitals still use outdated data systems and structures that need significant rehauling. Only then would a hospital be able to deploy effective security measures and bring down these data breaches in healthcare to a minimum. The prevalence of hackers only confirms the absence of real security.
13. 34% of healthcare data breaches come from unauthorized access or disclosure.
(Source: Kays Harbor)
Up 162% over the past three years, unauthorized access is already a massive issue. Nevertheless, it is still growing at an astounding rate.
14. Negligent breaches happen twice as often as malicious ones.
(Source: JOCS Vol. 2 Iss. 1)
Negligent breaches are defined as those that occur as a result of internal mistakes. In fact, 66% of organizations consider malicious insider attacks or accidental breaches more likely than external attacks. In contrast, external forces like hacking would fall into the “malicious” category. The study found that over 1400 breaches were negligent and about 700 were malicious. Healthcare hacks are a great threat, and human negligence is responsible for a big part of why that is.
15. 39% of healthcare organizations became aware of a breach months after it happened.
If a breach should occur, the hope is that it is quickly discovered in order to limit or even prevent any damage. With 39% of breaches taking months or more to be discovered, hackers have plenty of time to do their thing while the victims are unaware of the trespass.
16. Healthcare data breaches stats show while only 15% of data breaches in different industries are defined as theft and loss, 32% of healthcare ones fit into this category.
(Source: Health Care Dive)
Given the state of cybersecurity and technology in medicine, this stat shouldn’t come as a surprise. Say a thief wanted to steal $10,000 from a guarded BRINKS truck, but later saw $100,000 sitting in an unguarded, locked room. Which would the thief choose? The easier target, of course. Healthcare just happens to be that easy target in this case.
17. 61% of data breach threats come from negligent employees.
(Source: Healthcare Innovation)
Another serious threat is malicious intent. Disgruntled staff acting on emotion poses the most significant risk, causing 14% of data breaches.
This could be via helping a hacking group compromise a system or doing it themselves.
Third-party insiders are also a risk factor. Shockingly, 94% of organizations working with outsourcing companies have given them system access. In fact, 72% have advanced permissions.
18. 24% of physicians couldn’t identify the common signs of malware.
(Source: Digital Guardian)
This could be due to the age of many medical professionals. Older generations have a more difficult time adapting to new tech. As a result, they’re less aware of how cyber attacks work, how to spot the different types of malware, and how to neutralize them.
19. In 2020, healthcare suffered close to 240 million hacking attempts.
(Source: Security Magazine)
Healthcare data breaches stats show that 2020 saw a lot of hacking attempts. Cerber accounted for 58% of the threats. It holds files hostage and demands money for their release.
The second most common ransomware was Sodinokibi, with 16%. This one is harder to detect. VBCrypt that targets Windows wasn’t that far behind with 14%. Though still dangerous, it wasn't able to spread on its own.
20. Nearly 80 million people were affected by the Anthem Breach.
When was the Anthem breach? This breach occurred on February 4th, 2015, but was only discovered a few weeks later. Anthem later settled for $116 million, while admitting no wrongdoing. If you look at this settlement as “price per person affected” the total comes out at $1.45 per affected record. This makes it seem like Anthem got away too easily.
21. The healthcare industry invests less than 6% of its budget on cybersecurity.
(Source: Healthcare IT News)
The US spends 16% of its federal budget on cybersecurity, for comparison. The healthcare industry, more than any I can think of, could do well to put extra effort into solving these issues.
22. 88% of healthcare workers opened phishing emails.
(Source: Reliable IT MSP)
Phishing is a common way for data thieves to pull off attacks. Naturally, a decent part of health information security breaches takes place because of hackers using this approach. Of course, just because healthcare workers opened these emails doesn’t mean all of them fell prey to these attempts. Still, it raises a red flag when such emails are finding their way through to the workers.
23. 50% of doctors were in the “risk” category, making them likely to commit a serious data breach.
Perhaps the change should start by educating doctors and future medical professionals on proper data security measures. Half of the doctors being in the risk category translates into an extremely high chance of breach - one that no cybersecurity specialist can prevent.
24. Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.
This shows how valuable medical records are when compared to those of other industries. Most sources of records are often incomplete, therefore insufficient for the purposes of identity theft. This makes healthcare a prime target as their records contain a wealth of information - enough for a potential identity thief. Healthcare cybersecurity statistics from 2018 are not promising, but hopefully, the right people will know how to use this information to turn the tide.
25. Tenable Network Security’s cybersecurity report gave the healthcare industry a grade of 54% when it came to cybersecurity assurance.
(Source: Tenable Network Security)
The only passing grade given, which is a C or above, was given to healthcare data centers. Data centers are often run by independent data and cybersecurity professionals, leading to a better score. Keep in mind if we decide to only evaluate medical professionals, we will likely come up with an even lower score.
26. Healthcare cybersecurity roles take 70% longer to fill compared to IT jobs in other industries.
(Source: Info Security)
In a survey to understand why health information security breaches keep occurring, researchers found that talent shortage in the sector could be a huge contributor. The findings show that these roles take 70% longer to fill on average.
27. Healthcare data breaches in the US fell by 48% in January 2021.
(Source: Hipaa Journal)
In January 2021, healthcare in America saw a nearly 50% reduction in data breaches compared to the month prior. It dropped from 62 in December 2020 to 32 in January 2021.
That translates to about one incident per day, which is a huge improvement compared to 2020. In the last year, September had the highest number of data breaches at 95, translating to about three per day.
28. 82% of organizations can’t determine the actual damage from an insider attack.
(Source: Ekran, HHS)
But the repercussions can be very costly. 21% result in legal liabilities, 40% in critical data loss, and 33% in operational disruption.
Here’s a healthcare data breaches list for 2021:
- An American Pharmaceutical company employee left to work for a competitor after downloading 12K confidential files to the cloud.
- A hospital employee from Texas recorded himself creating an HVAC unit backdoor that could affect employees and medication if shut down.
After quitting, a South Georgia Medical Center (SGMC) employee downloaded patient data into a USB drive. Thankfully, the security system sent an unauthorized access alert notifying the cyber team.
29. 59% of healthcare organizations plan to invest more in cybersecurity in 2022.
Data breaches have become commonplace. When they happen, organizations cannot work, get a bad reputation, pay cyber experts to clean up the mess, and sometimes pay ransoms, not to mention compensation to victims.
For those reasons, more than half of healthcare decision-makers plan to spend more money to secure their systems in 2022.
The Largest Healthcare Data Breaches in History
We’ve seen the numbers. Now, let’s see the cases:
1. Anthem Blue Cross
(Source: Digital Guardian)Year: 2015Impact: 78.8 million patient records stolen
Perhaps one of the biggest healthcare data security breaches. A total of 78.8 million patient records were stolen. Although this sounds bad enough, the type of data taken was highly sensitive and included records like social security numbers, dates of birth, and address. Despite most victims being Anthem plan members, some were not. This is because Anthem also worked with a number of independent insurance companies, managing their paperwork as well.
2. Premera Blue Cross
(Source: New York Times)Year: 2015Impact: 11+ million people
Premera Blue Cross experienced a cyberattack in the middle of March 2015. 11 million customers might have been affected as attackers managed to access financial and medical data as well as dates of birth and social security numbers.
So why might this attack have occurred? It’s because information like this is very valuable to criminals for crimes like insurance fraud.
3. Excellus BlueCross BlueShield
(Source: USA Today)Year: 2015Impact: 10 million people
Although it was 2015 when Excellus found out about this patient data breach, the campaign had, in fact, been going on for two whole years. This was worrying, as potentially, hackers might have been able to access all patient records. Hackers stole the usual data they go for, along with other information like financial payment, claims details, and even credit card numbers.
(Source: Reuters)Year: 2011Impact: 4.9 million patients affected
Late 2011 saw a huge data breach of medical and personal data for both families and military patients. Unusually, the breach occurred when a data contractor was transferring records from one facility to another. When the vehicle was parked and unattended, the records were stolen. As well as the usual personal details you’d expect, information on the tapes also included prescriptions, clinical notes, and lab test data. Luckily, they contained no financial information.
5. University of California, Los Angeles Health
(Source: LA Times)Year: 2015Impact: 4.5 million patients affected
Another one on the healthcare data breaches list. Someone hacked the UCLA Health System’s computer network, providing 4.5 million patient records exposed. They exposed highly confidential information like health plan identification numbers, patient procedures, and diagnoses. They also leaked sensitive records like social security numbers, dates of birth, and names.
What Does the Future Hold?
There are many talks of blockchain applications in healthcare and the security boost. In fact, the total spending on integrating blockchain into healthcare will rise to $5.61 billion by 2025. Still, so far, the healthcare data of the vast majority of people is a highly lucrative sitting duck.
Unfortunately, you and I can't save the healthcare sector. However, we can still protect our own data. That's why we suggest using an antivirus solution for malware protection, a VPN service to keep your data private, and a password manager for encrypted password storage. The set of these three software can do wonders in terms of cybersecurity.
Stay safe and we'll see you next time!
What is data breach in healthcare?
How many data breaches a day?
What are the most common causes of health information system breaches?
Do hospital data breaches reduce patient care quality?
Deyan has been fascinated by technology his whole life. From the first Tetris game all the way to Falcon Heavy. Working for TechJury is like a dream come true, combining both his passions – writing and technology. In his free time (which is pretty scarce, thanks to his three kids), Deyan enjoys traveling and exploring new places. Always with a few chargers and a couple of gadgets in the backpack. He makes mean dizzying Island Paradise cocktails too.
Latest from Author
Your email address will not be published.
Updated · Jan 26, 2023
Updated · Jan 25, 2023