75 HIPAA Violation Statistics: When Cybersecurity Compromises PHI

The last time you took your HIPAA training, you probably heard a line similar to, “You’re the biggest safety risk to your organization.”

It’s true to an extent. People are prone to make mistakes and accidentally expose protected health information or PHI.

Maybe you even heard the term “insider threat” in the training. For the scope of this blog, an insider threat is a person in the healthcare organization who has access to electronic PHI, or ePHI, and uses this information to negatively impact the healthcare provider.

There are several types of insider threats. When it comes to HIPAA violations, these people take the form of…

• Careless/negligent workers
• Malicious insiders
• Inside agents
• Disgruntled employees
• Third parties

The most common type of insider threat, and the ones that can expose a good amount of PHI, are those who are careless or negligent.

In fact, 61% of insider threat incidents involve negligent insiders. Another 25% of negligent insider threats involve stolen credentials. These are the people who don’t take their training seriously. They leave their computers vulnerable to illegal access and are a high risk for cybersecurity incidents.

You see, HIPAA compliance and cybersecurity go hand-in-hand. A covered entity needs to train its employees on cybersecurity safety as a measure to protect PHI. A healthcare cybersecurity breach can allow a malicious bad actor to obtain information protected by HIPAA, such as medical records and personally identifiable information.

The size of a cybersecurity incident can lead to large HIPAA violations. Some incidents in the past involved millions of healthcare records affecting thousands of people. Such breaches can lead to massive financial penalties from the federal government. Depending on the level of negligence, HIPAA violations can also lead to imprisonment.

Now that you understand that there’s a strong correlation between HIPAA violations and cybersecurity breaches, let’s look at the healthcare breach environment.

Below are over 75 HIPAA violation statistics pertaining to cybersecurity breaches.

General HIPAA-Related Data Breach Statistics

The general healthcare cybersecurity landscape isn’t what you might expect. Considering how much confidential information covered entities have, you would think they have impeccable, top-grade cybersecurity protocols.

However, this isn’t exactly the case. I’m sure you’ve seen at least one news article in the last week talking about how a hospital endured a breach that exposed hundreds of thousands of files, including names, emails, and addresses.

As you can see, the HIPAA violation statistics below are not pretty.

• Year over year, healthcare data breaches increased by 25%. (HIPAA Journal - Healthcare Data Breach Report US)
• 67% of breaches against healthcare entities involve compromised medical information. (Verizon)
• 75% of healthcare organizations spend only 6% or less of IT budgets on cybersecurity. (Healthcare IT News)
• Around ¾ of healthcare organizations reported that their infrastructures are not prepared to respond to cybersecurity threats, leaving their electronic PHI vulnerable. (InfoSecurity Magazine)
• Every employee in a healthcare organization has access to around 20% of files. (HHS)
• 34% of healthcare data breaches come from unauthorized access or disclosure. (Tech Jury)
• Healthcare accounts for 79% of all reported breaches. (Health IT Security)
• 60% of healthcare providers name risk assessments as the #1 reason they invest in security instead of HIPAA compliance. (Healthcare IT News)  
• 30% of all large data breaches happen to hospitals. (Tech Jury)
• 18% of teaching hospitals reported enduring a data breach. (Tech Jury)
• 6% of pediatric hospitals reported data breaches. (Tech Jury)
• The average data breach took 212 days to identify and 75 days to contain in 2021. (Compliancy Group)
• Hacking and IT incidents accounted for 67% of data breaches. (HIPAA Journal - Healthcare Data Breach Report US)  
  • It also accounted for 92% of breached protected medical records.
• 88% of hackers that attack healthcare entities do so for financial reasons. (Verizon)
  • 4% do it for the sheer fun of it.
  • 3% of breaches occur due to convenience.
• Breaches caused by compromised credentials took 341 days on average to contain. (Compliancy Group)
• 95% of all identity theft incidents come from stolen healthcare records. (Global News Wire)
  • This information is worth 25 times as much as credit card information.

HIPAA Violations Over Time

Hackers have always liked to target protected entities. The information they steal from patients in bulk is often used to steal identities, attack individuals through phishing scams, and get healthcare on someone else’s dime.

Over the years, the patterns changed. Each year, there are more breaches, more exploitable vulnerabilities, and more victims. Some years are worse than others. For example, healthcare breaches peaked in 2015, making it a record year for HIPAA violations.

The HIPAA violation statistics below create a timeline of how cybersecurity attacks morphed and changed over time.

• Between 2009 and 2020, healthcare breaches exposed 78 million healthcare records. (HIPAA Journal - Healthcare Data Breach Report US)  
• The OCR received 4,419 healthcare data breach reports between 2009 and 2021 involving 500 or more records. (HIPAA Journal - Healthcare Data Breach Statistics)
  • These breaches lead to the illegal disclosure of over 314.1 million healthcare records.
• Roughly 95% of the 2021 U.S. population had their medical information disclosed between 2009 and 2021. (HIPAA Journal - Healthcare Data Breach Statistics)
• Between 2014 and 2022, healthcare data breaches doubled in frequency. (HIPAA Journal - Healthcare Data Breach Report US)  
• 2015 was the worst year for healthcare data breaches. (HIPAA Journal - Healthcare Data Breach Statistics)
  • In that year alone, there were more than 133.27 million records exposed in the breaches
  • Most of the exposed data came from 3 breached entities:
    • Anthem Inc.
    • Premera Blue Cross
    • Excellus

• The number of reported HIPAA data breaches doubled compared to the amount in 2016. (Electronic Health Reporter)
• There were 5 million breached patient records in 2017. (Healthcare IT News)  
  • This is a drastic decline compared to the 100 million breached patient records in 2015.
• There were 10% more organizations that reported a breach in 2017 compared to the year prior. (Healthcare IT News)
• The frequency of healthcare data breaches involving 500 or more medical records reached a reporting rate of around 1 report per day in 2018. (HIPAA Journal - Healthcare Data Breach Statistics)
• 85% of ransomware victims paid in Q1, 2019. (HIPAA Journal)  
  • The number of victims willing to pay the ransom declined over time, to only 46% of victims in Q1, 2022
• The healthcare industry saw 642 data breach reports involving 500 or more medical records in 2020. (HIPAA Journal - Healthcare Data Breach Report US)  
  • This is roughly 1 ¾ data breaches reported each day.
• During a single month in 2020, there were 39 high-profile healthcare industry breaches. (Tech Jury)
• There were more than 29 million healthcare records exposed in breaches during 2020. (HIPAA Journal - Healthcare Data Breach Report US)  
• By the end of 2020, security breaches cost the healthcare industry over $6 trillion. (Tech Jury)
• From 2020 to 2022, the healthcare sector lost a total of $25 billion due to cyberattacks. (Tech Jury)
• The cost of lost business due to a data breach in 2021 was nearly $1.6 million. (Compliancy Group)
  • This equates to 38% of the $4.24 million global average.
  • Lost business costs include:
    • Business disruption and revenue losses from system downtime;
    • Cost of lost customers and acquiring new customers;
    • Reputation losses; and
    • Diminished goodwill.
• There were nearly 45 million health records exposed or stolen in 2021. (Global News Wire)
  • This is because, during that year, there were a record 686 major breaches.
• In 2021, there was an average of 1.95 healthcare data breaches reported each day. (HIPAA Journal - Healthcare Data Breach Statistics)
  • This equates to a total of 714 healthcare breaches involving 500 or more medical records.
• From March 2021 to February 2022, there were 723 reported data breaches involving 500 or more records. (HIPAA Journal - February 2022 Healthcare Data Breach Report)
• 57% of healthcare organizations experienced more than 5 breaches in 2021. (Global News Wire)
• Data breaches in 2021 cost healthcare businesses an average of $9.3 million per incident. (Compliancy Group)
  • This average cost was 29.5% higher than the cost of breaches 2020.
  • In comparison, all other industries had a combined average loss of $4.24 million per breach in the same year.
    • This means that beaches in healthcare cause 2-3 times more damage compared to other industries.

HIPAA Violation Statistics in 2022

We can learn from the past to address the present circumstances. But what do healthcare entities face this year? Thus far, it appears some cybersecurity situations improved this year, such as the amount of the average ransomware payout. However, the rate of data breaches is at an all-time high.

Since 2022 isn’t quite over yet there aren’t as many HIPAA violation statistics available. Below is some information that can shed light on the situation as it is unfolding.

• The rate of healthcare data breaches in 2022 involving 500 or more medical records reached about 2 reports a day. (HIPAA Journal - Healthcare Data Breach Statistics)
  • This is double the amount from four years prior.
• The average ransomware payout in the first quarter of 2022 was about $211,000. (HIPAA Journal)
  • This is 34% less than the average ransomware payments in the fourth quarter of 2021.
  • The median ransom payment was $73,906.
• In February 2022 alone, there were 46 healthcare data breaches. (HIPAA Journal - February 2022 Healthcare Data Breach Report)
  • These incidents affected roughly 2.53 million people.
  • This is 8% less than the number of incidents the month prior.
• In March 2022, there were 30 healthcare data breaches. (HHS)
  • These breaches involved 1.4 million victims, as reported by the HHS

The Knowledge Link Between HIPAA and Cybersecurity

As I mentioned above, HIPAA compliance and cybersecurity practices are closely linked. If a covered entity doesn’t have proper protocols and security measures for its electronic systems, they are likely to endure some sort of HIPAA violation.

Part of the issue has to do with recognizing bad actors attempting to steal information. Doctors, nurses, and administrative staff often have difficulties recognizing malicious online activity. Many can’t recognize phishing attempts, what to look for to see if malware is on a computer, or what to do once they notice a breach.

The healthcare industry is significantly behind compared to other industries. Below are some statistics that illustrate the healthcare industry’s battle against cybersecurity incidents.

• Cybersecurity roles in healthcare take 70% longer to fill, on average, compared to other IT positions. (InfoSecurity Magazine)
• 24% of healthcare workers lack awareness about phishing emails. (Reliable IT MSP)
  • This is 3 times more than workers in non-healthcare sectors.
• Only 18% of healthcare workers can recognize phishing emails. (Reliable IT MSP)
  • Physicians are 3 times worse than the average healthcare worker at recognizing phishing emails.
• 90% of healthcare workers and hospital employees who transitioned to a remote work environment due to COVID-19 did not receive any updated security guidelines or training about accessing PHI. (InfoSecurity Magazine)
• 88% of healthcare workers will open a phishing email when tested. (Reliable IT MSP)
• 50% of doctors are likely to commit a serious data breach. (Reliable IT MSP)
• People in the healthcare industry have overall less knowledge about cybersecurity compared to other industries. (Reliable IT MSP)
• 75% of CISOs agreed that experienced cybersecurity professionals are unlikely to pursue a career in healthcare. (InfoSecurity Magazine)
• 24% of physicians can’t identify some common indicators that malware is on a computer. (Reliable IT MSP)
• 30% of healthcare workers take risks that put the safety of PHI at risk. (Reliable IT MSP)
• 23% of healthcare workers do not recognize the forms of malware. (Reliable IT MSP)
• 96% of healthcare entities believe that bad actors are outpacing their organizations, placing providers at a significant disadvantage. (InfoSecurity Magazine)
• 18% of healthcare workers chose the wrong actions when in a cybersecurity training scenario. (Reliable IT MSP)
  • Many believed it was ok to share PHI through the employee’s personal email accounts or over insecure cloud networks.

Conclusion

Many covered entities feel concerned about their data security and privacy. Many more found that outsiders illegally accessed their medical information in a large-scale breach.

The data shows that the larger the hospital, the more likely the healthcare entity will endure a data breach. This is true, in part, because smaller hospitals attract less attention from hackers. Nevertheless, data breaches are rampant and continue to happen.

There were over 2,550 data breaches with millions of exposed res over the past decade. Although breaches against healthcare entities do not result in the largest data breaches, the nature of the stolen PHI makes the breach considerably more dangerous.

Even with the knowledge above, no one can save the healthcare sector. We can make the situation a little bit better if we collectively take steps to protect PHI and other valuable data.

With the extensive list of statistics above, you have a better chance of avoiding security risks than the rest of your healthcare peers. Etactics can help you and your organization improve even more. By purchasing HIPAA and cybersecurity training from Etacatics, you can take the steps to protect your organization.