By the Numbers: 2009-2015 HIPAA Breaches

Here we are six months into 2015 and its time for the midway report on what has happened in the world of HIPAA breaches. It bears mentioning that the numbers below are ONLY representative of events impacting 500 or more individuals and reflects reporting up to June 23, 2015. All of the research below is my own and derives from publicly available data.

2015 Breaches: 1/1/15 – 6/23/15

The first numbers below are a breakdown of the sources of breaches in 2015. The percentage after the number shows what proportion of the overall 2015 breaches are attributable to that source. You will note that the numbers listed below do not equal the total sum, this is because OCR allows for an “other” designation when no other description fits.

Total number of Breaches in 2015: 93,963,272

Number of Breaches Since 1/1/2015 Attributable to:

Paper: 155,729 (0.1%)

Laptops, Desktops, and Portable Electronics: 295,655 (0.3%)

EMR: 22,203 (0.02%)

Email: 515,901 (0.5%)

Network Server: 92,672,601 (75%)

The numbers of 2015 are clearly skewed towards the BCBS, affiliates, and subsidiaries (“BCBS”). The breaches of BCBS account for a tremendous number of impacted individuals. Given the tremendous weight and skewing associated with the BCBS breach, I decided to control for those numbers and run the same report without the two huge BCBS breaches, a total of 89,800,000.

TOTAL NUMBER OF BREACHES IN 2015 (sans BCBS): 4,163,272

Paper: 155,7289 (3.7%)

Laptops, Desktops, and Portable Electronics: 295,655 (7.1%)

EMR: 22,203 (0.5%)

Email: 515,901 (12.4%)

Network Server: 2,872,601 (68.9%)

Whats intriguing is that the numbers are still heavily skewed towards loss attributable to a network server. Even controlling for the huge BCBS numbers, nearly 7 out of 10 stolen PHI records stolen came hacked network servers.

Historical look at the data on breaches

After running through the numbers for 2015, I decided to do a retrospective and look back at the data since reporting began. Here are the total breach numbers and their sources since reporting began in 2009.

Total Number of Breaches Since 2009: 134,870,039

Number of Breaches Since 2009 Attributable to:

Paper: 1,866,133 (1.4%)

Laptops, Desktops, and Portable Electronics: 13,760,826 (10.2%)

EMR: 2,840,852 (2.1%)

Email: 1,399,920 (1.0%)

Network Server: 102,420,230 (75%)

Once again, these numbers skew heavily towards the most recent 2015 mega BCBS breaches. Once again controlling for those number and subtracting them from the report, we get the following percentages.

TOTAL NUMBER OF BREACHES SINCE 2009 (sans bcbs): 34,070,039

Paper: 1,866,133 (5.4%)

Laptops, Desktops, and Portable Electronics: 13,760,826 (40.3%)

EMR: 2,840,852 (8.3%)

Email: 1,399,920 (4.1%)

Network Server: 12,620,230 (37%)

Amazing how once we control for the 2015 BCBS breaches, the numbers seem to almost normalize in a pattern with roughly 2 out of 5 stolen records coming from Laptops, Desktops and Portable Electronics; and 2 out of 5 stolen records coming from breached network servers. This means that approximately 80% of all of the breaches come from those two sources. These numbers really give weight to the idea that encryption and heavily investing in network architecture pays off in the end. This is only highlighted by the recent OPM breaches that were a product of legacy server infrastructure and unencrypted data.

Tarred and Feathered: BCBS, subsidiaries and affiliates

One of the most amazing things I am across in this research was the amazing number of breaches attributable to one organization: BCBS. Of the all time largest breaches, BCBS is responsible the number 1 and number 2 spots, and 6 of top 20 spots.

Total Number of Breaches Attributable to BCBS: 92,803,208

This number represents 68.8% of all breaches since HIPAA reporting began. In full disclosure, my information was stolen in one of their breaches. Even more amazing is the attitude that these breaches are not impacting the individuals who had their data stolen. On the dark web, PHI records often fetch 10-15 times as much money as a credit record and are often much more expensive to fix. According to the recent Medical Identity Fraud Alliance report the average cost to the individuals who have their information stolen and used is $13,500.

Now is the time for change.

/s/ HH @legallevity

11 thoughts on “By the Numbers: 2009-2015 HIPAA Breaches

  1. IL June 23, 2015 / 5:10 pm

    I would love to see a breakdown per-company, even if it’s just for the top few, and their fines.


    • Hudson Harris June 24, 2015 / 7:55 am

      So would I! Unfortunately, while reporting is mandatory, the settlement agreement amounts are not. I would love to see the data released on all amounts, but for now we are left with this page:

      There you can see the “examples” of settlement agreements that OCR has released. If I can get any data or information on actual amounts, I will let you know. If it would be useful to you, I can do a post on the top 10 biggest breaches and break them down on cause/amount.


  2. Kevin Toppenberg, MD June 24, 2015 / 7:14 am

    Thank you for this article. As a private physician, I am being pushed to make medical records available to patients on the web. The Meaningful Use program first offers rewards, and will eventually levy fines to entice me to ensure a certain percentage of my patients access their records on line. What are the chances that I can make this happen safely? The rush to make medical information to flow as freely as twitter feeds will inevitably lead to leaks. And it is the provider that is held liable. The entire situation has left me bitter.


    • Hudson Harris June 24, 2015 / 7:57 am

      I know of a lot of companies that provide safe online access to their clients records. My suggestion is to hire a company that knows the industry and knows how get this data online in a manner that satisfies meaningful use, but limits exposure in the event of a breach. I understand your bitterness, believe me, but have faith, the good companies out there will be able to get you where you need to go.


      • Kevin Toppenberg, MD June 24, 2015 / 9:06 am

        I use an open source EHR from the VA named VistA. I have made extensive customizations to the system so that it serves me and my patients optimally. The prospect of having to give all that up and start over with a 3rd party system, just to enhance information flow out of my office for the benefit of management executives in insurance company corporate offices is what gives me a bad taste in my mouth. Imagine you come to see me with an embarrassing sexually transmitted illness. How would you feel about giving me the sensitive and private information, knowing that it will instantly flow into data pipes and head off to servers in the cloud, for perusal by who-knows-who? “But it’s safe”, you might counter. At which point I mention the 93 million data breaches in 2015. And even if unlawful access can be limited, I cannot imagine that the NSA, FBI, Police, etc will ignore such rich sources of information. Large stores of information exert an almost inexorable attractive force for access. Kind of like “If you build it, they will come.” There is a balance between the benefits of data sharing and the harms from violation of privacy. Ideally the compromise solution could be arrived in a public forum, or even better let patients decide for themselves. But I don’t see this happening. I have had a patient concerned with guns rights ask me if the information they tell me would go outside the exam room. I told them that if I don’t write it down, I would likely forget about it. And if I put it in the record, I can’t give them such reassurance. So then they obviously restrained from telling me things that they otherwise would have. That is a real problem.

        Liked by 1 person

      • Hudson Harris June 24, 2015 / 9:24 am

        I am all for privacy and security. Sadly, the concept of infosec is largely alien to Congress and HIPAA is woefully out of date. There is a balance between meaningful use and online access, but it hasnt been found yet. Personally, I enjoy seeing *some of my PHI online when I need it. A provider I had in CA allowed me to select what would be online and what would not. That said, if something is stored electronically it is accessible (hackable) and vulnerable to an outside attack. Unless your EMR is on a segregated network with no internet access, it has gaps, holes and flaws.


      • Kevin Toppenberg, MD June 24, 2015 / 11:04 am

        I agree. Thanks again for your work on this article.


Leave a Reply to Hudson Harris Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s