Healthcare Data Breaches Statistics 2020

by Spencer Varada | March 21, 2019

Are you concerned about your data security and privacy?

Has your information ever been accessed in a large-scale data breach like Target, Experian, or Anthem?

How would you even know?

Healthcare data breaches statistics can answer that very question. What you’ll read in the next few minutes is a carefully picked list of the most important statistics on the matter. Knowing those will make you more competent on the matter than 99% of people.

Healthcare data breaches have been rampant over the past several years. Just over the last decade, there have been over 2,550 data breaches with millions of records being affected. Even though none of them ranks among the biggest data breaches, the nature of the stolen information makes them considerably more serious than most.

This makes it kind of likely that if you’ve ever been in a hospital, you may have had some personal information stolen.

Alright, so let me ask you the following – what is a security breach in healthcare?

Healthcare Data Breaches Statistics

  • Hospitals account for 30% of all large data breaches
  • More than 2100 healthcare data breaches have been reported in the US since 2009
  • 18% of teaching hospitals reported that they had experienced a data breach
  • 6% of pediatric hospitals reported data breaches
  • There is a 75.6% chance of a breach of at least five million records in the next year
  • 34% of healthcare data breaches come from unauthorized access or disclosure
  • The healthcare industry was the victim of 88% of all ransomware attacks in U.S. industries in 2016
  • Nearly 80 million people were affected by the Anthem Breach

Data suggests that the larger the hospital, the greater the chance of a data breach occurring. That’s partly due to smaller hospitals attracting less attention from hackers.

While people are well aware of the need for improved security, the sheer amount of data breaches will come as a shock to many.

Healthcare Data Breaches Statistics

Let’s start with the basics. This is how big the problem is.

1. 7.9 billion records were breached in 2019 by September.

(Source: Help Net Security, Norton)

That was a 33.3% increased compared to 2018. The statistics show that from August, 2018 to March, 2019 more than 20 million records were leaked in healthcare data breaches. This showed us we need to give even more serious consideration to protecting our privacy.

2. It has been estimated that lost or stolen PHI may cost the US healthcare industry up to US$7 billion annually.

(Source: JAMIA

PHI stands for protected health information and the lack of security around it has resulted in a startling monetary loss. Healthcare breaches data statistics can put things in perspective – hopefully one that willl allow us to manage the situation.

3. There is a 75.6% chance of a breach of at least five million records in the next year.

(Source: Journal of Cybersecurity)

The probability of breaches of this magnitude is astounding to someone, unaware of the trends. What’s probably even more astounding is that such a breach would not necessarily be surprising at all, considering the amount of breached records over the last few years.

4. There is a 25.7% chance of another Anthem sized breach (80+ million records) within the next three years.

(Source: Journal of Cybersecurity)

The news of the Anthem breach faded as quickly as it surfaced. Security breaches in healthcare do happen quite often nowadays. Some hope it would take a breach of this magnitude before those responsible can start addressing the issue.

5. Between 60 and 80% of data breaches go unreported.

(Source: PRC)

While this statistic isn’t specific to healthcare data breaches, it still puts things in perspective. The figure for breaches related to medical institutions is likely to be similar.

6. Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record.

(Source: HIPAA Journal)

Healthcare data breaches stats put this number further into context. Millions of records are breached each year, leading to astronomical costs when you draw the line.

7. 47% of healthcare data breaches come from hackers or various IT incidents.

(Source: Electronic Health Reporter)

Don’t go blaming the IT guy just yet. Many hospitals still use outdated data systems and structures that need significant rehauling. Only then would a hospital be able to deploy effective security measures and bring down these data breaches in healthcare to a minimum. The prevalence of hackers only confirms the absence of real security.

8. 34% of healthcare data breaches come from unauthorized access or disclosure.

(Source: Kays Harbor)

Up 162% over the past three years, unauthorized access is already a massive issue. Nevertheless, it is still growing at an astounding rate.

9. Negligent breaches happen twice as often as malicious ones.

(Source: JOCS Vol. 2 Iss. 1)

Negligent breaches are defined as those that occur as a result of internal mistakes. In contrast, external forces like hacking would fall into the “malicious” category. The study found that over 1400 breaches were negligent and about 700 were malicious. Healthcare hacks are a great threat, and human negligence is responsible for a big part of why that is.

10. 56% of incidents in 2015 were discovered within several days. Still, months or more went by before 39% of the studied healthcare organizations became aware of the breach.

(Source: Verizon)

If a breach should occur, the hope is that it is quickly discovered in order to limit or even prevent any damage. With 39% of breaches taking months or more to be discovered, hackers have plenty of time to do their thing while the victims are unaware of the trespass.

11. Healthcare data breaches stats show while only 15% of data breaches in different industries are defined as theft and loss, 32% of healthcare ones fit into this category.

(Source: Health Care Dive)

Given the state of cybersecurity and technology in medicine, this stat shouldn’t come as a surprise. Say a thief wanted to steal $10,000 from a guarded BRINKS truck, but later saw $100,000 sitting in an unguarded, locked room. Which would the thief choose? The easier target, of course. Healthcare just happens to be that easy target in this case.

12. Insider and privilege misuse accounted for 23% of security incidents in 2016.

(Source: Verizon)

Insider and privilege misuse is often a result of disgruntled employees or ex-employees who seek gain or revenge (or both). They use their access rights to steal confidential information for personal financial gain. There are also cases of collusion of insiders with external third parties. Hospital data breaches can be alleviated by applying more stringent rules around privileged access.

13. 24% of physicians couldn’t identify the common signs of malware.

(Source: Identity Theft Center)

This could be due to the age of many medical professionals. Older generations have a more difficult time adapting to new tech. As a result, they’re less aware of how cyber attacks work and how to neutralize them.

14. The healthcare industry was the victim of 88% of all ransomware attacks in U.S. industries in 2016.

(Source: IBM)

Ransomware attacks are becoming more common as hackers find more ways to hold entire systems hostage. Hackers can lock the approved users out of the system as well as collect and hold data captive until their demands are met.

15. Nearly 80 million people were affected by the Anthem Breach.

(Source: CNN)

When was the Anthem breach? This breach occurred on February 4th, 2015, but was only discovered a few weeks later. Anthem later settled for 116 million dollars, while admitting no wrongdoing. If you look at this settlement as “price per person affected” the total comes out at $1.45 per affected record. This makes it seem like Anthem got away too easily.

16. The healthcare industry invests less than 6% of its budget to cybersecurity.

(Source: CyberPolicy)

The US spends 16% of its federal budget on cybersecurity, for comparison. The healthcare industry, more than any I can think of, could do well to put extra effort into solving these issues.

17. 88% of healthcare workers opened phishing emails.

(Source: GDS)

Phishing is a common way for data thieves to pull off attacks. Naturally, a decent part of health information security breaches takes place because of hackers using this approach. Of course, just because healthcare workers opened these emails doesn’t mean all of them fell prey to these attempts. Still, it raises a red flag when such emails are finding their way through to the workers.

18. 50% of doctors were in the “risk” category, making them likely to commit a serious data breach.

(Source: HealthStats)

Perhaps the change should start by educating doctors and future medical professionals on proper data security measures. Half of the doctors being in the risk category translates into an extremely high chance of breach – one that no cyber security specialist can prevent.

19. Healthcare data breaches cost an average of $408 per record, which is three times higher than the cross-industry average of $148 per record.

(Source: Becker)

This shows how valuable medical records are when compared to those of other industries. Most sources of records are often incomplete, therefore insufficient for the purposes of identity theft. This makes healthcare a prime target as their records contain a wealth of information – enough for a potential identity thief. Healthcare cybersecurity statistics from 2018 are not promising, but hopefully the right people will know how to use this information to turn the tide.

20. Tenable Network Security’s cybersecurity report gave the healthcare industry a grade of 54% when it came to cyber security assurance.

(Source: Tenable Network Security)

The only passing grade given, which is a C or above, was given to healthcare data centers. Data centers are often run by independent data and cybersecurity professionals, leading to a better score. Keep in mind if we decide to only evaluate medical professionals, we will likely come up with an even lower score.

21. Around 50% of healthcare organizations and their business associates have not increased their cybersecurity budgets in the last year. About 10% even lowered spending on security.

(Source: Identity Experts Corp.)

This is probably an indication most of these organizations are not aware of healthcare data breaches statistics. Despite the issues they’re facing, many organizations are not even trying to modernize. Instead, apparently most of them choose to pretend as if they won’t be responsible for the next data breach.

What Does the Future Hold?

There are many talks of blockchain applications in healthcare and the security boost – among other things – this tech can bring, but so far the healthcare data of the vast majority of people is a highly lucrative sitting duck.


  1. Help Net Security, Norton
  2. JAMIA
  3. Oxford Academic Journal of Cybersecurity
  4. Oxford Academic Journal of Cybersecurity
  5. Privacy Rights (PRC)
  6. HIPAA Journal
  7. Electronic Health Reporter
  8. Kays Harbor
  9. Oxford Academic Journal of Cybersecurity Vol. 2 Iss. 1
  10. Verizon Data Breach Investigations Report
  11. Healthcare Dive
  12. Verizon Data Breach Investigations Report
  13. Identity Theft Center
  14. IBM Cybersecurity Report
  15. CNN
  16. CyberPolicy
  17. GDS Connect
  18. HealthStats
  19. Becker ASC
  20. Tenable Global Cybersecurity Report Card
  21. Identity Experts Corp

Related Readings:

Protenus Breach Baromerter Report

Spencer Varada
Spencer Varada