Official websites use .gov
A
.gov
website belongs to an official government organization in the
United States.
Secure .gov websites use HTTPS
A
lock
(
) or
https://
means you’ve safely connected to the .gov website. Share sensitive
information only on official, secure websites.
Quick StatsBreaches of Unsecured Protected Health Information
Based upon data collected by the HHS Office for Civil Rights, as of February 1, 2016, protected health information breaches affected over 113 million individuals in 2015. In 2015, hacking incidents comprised nearly 99% of all individuals affected by breaches, and the number of reported hacking incidents, 57, comprised over 20% of all reported breaches. From 2011 to 2014, 97 hacking incidents affected less than 4 million individuals – less than 10% of all reported breaches and affected individuals during this time.
However, despite the rise in breaches related to hacking incidents, reported breaches related to other incidents and the number of individuals affected by these breaches are down in 2015. Through February 1, 2016, theft, loss, improper disposal, and unauthorized access or disclosure of protected health information comprise 208 of all reported breaches (N=265), down from 216 (N=285) in 2014 and 211 (N=262) in 2013. These four types of breach incidents affected 1.4 million individuals in 2015, compared to 10.7 million in 2014 and 6.7 million in 2013.
In 2015, four of the fifty-one hacking incidents involved an electronic medical record (EMR). One hacking incident affected 3.9 million individuals’ health information – nearly all the individuals affected by an EMR hacking incident in 2015.
Note: ^a non-hacking/IT incident includes all other types of reported health information breaches: theft, loss, improper disposal, unauthorized access/disclosure, other, or unknown (not reported or data missing). See notes below for types of IT and devices involved in these incidents.
Number of Individuals Affected by a Protected Health Information Breach: 2010-2015
Count of affected individuals by the type and source of information breach
| 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | |
|---|---|---|---|---|---|---|
| Type of Information Breach | ||||||
| Hacking/IT incident | 568,358 | 297,269 | 900,684 | 236,897 | 1,786,630 | 111,812,172 (Of this total, 78M individuals (70%) were affected by a singular hacking/IT incident, and 5 of the 51 hacking/IT incidents affected 97% of all individuals) |
| Improper disposal | 34,587 | 63,948 | 21,329 | 526,538 | 93,612 | 82,421 |
| Loss | 924,909 | 6,019,578 | 95,815 | 142,411 | 243,376 | 47,214 |
| Theft | 3,691,460 | 4,720,129 | 927,909 | 5,397,989 | 7,058,678 | 740,598 |
| Unauthorized access/disclosure | 130,106 | 118,444 | 338,767 | 383,759 | 3,019,284 | 572,919 |
| Other breach | 158,593 | 13,981 | 503,900 | 254,305 | 413,878 | — |
| Source of Information Breach | ||||||
| Desktop computer | 246,643 | 2,042,186 | 81,385 | 4,348,129 | 2,378,304 | 316,226 |
| Electronic medical record | 803,600 | 1,720,064 (Of this total, 1.7M individuals (99%) were affected by a singular incident) | 136,751 | 40,196 | 121,845 | 3,948,985 (Of this total, 3.9M individuals (99%) were affected by a singular incident) |
| 8,050 | 3,111 | 294,308 | 58,847 | 519,625 | 583,977 | |
| Laptop | 1,507,914 | 405,873 | 575,529 | 1,023,181 | 1,273,612 | 391,830 |
| Network server | 665,123 | 613,963 | 921,335 | 320,127 | 7,253,441 | 107,252,466 (All but 26,000 individuals were affected by a hacking/IT incident) |
| Paper/Film | 204,966 | 103,711 | 198,409 | 575,076 | 590,352 | 229,743 |
| Portable Electronic Device | 29,714 | 1,516 | 124,978 | 154,877 | 141,110 | 209,558 |
| Other source | 2,058,166 | 8,259,368 | 455,709 | 422,381 | 343,537 | 322,539 |
| Note: Each count above is the total number of individuals affected by a breach of the specific information source and the breach type. Individual reports of a breach may involve one or more information sources, i.e. laptop, e-mail, etc, and one or more breach types, i.e. theft, loss, etc. In those cases, there may be double-counting of the number of affected individuals or reported breaches in a specific year. | ||||||
| Source: U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals. February 1, 2016. | ||||||
Number of Reported Protected Health Information Breaches: 2010-2015
Count of reported breaches by the type and source of information breach
| 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | |
|---|---|---|---|---|---|---|
| Type of Information Breach | ||||||
| Hacking/IT incident | 10 | 16 | 16 | 23 | 32 | 57 (4 of these incidents involved an electronic medical record) |
| Improper disposal | 10 | 7 | 7 | 13 | 11 | 6 |
| Loss | 18 | 17 | 19 | 24 | 28 | 22 |
| Theft | 127 | 118 | 117 | 124 | 113 | 80 |
| Unauthorized access/disclosure | 7 | 26 | 25 | 63 | 72 | 100 |
| Other breach | 22 | 2 | 18 | 24 | 28 | 0 |
| Source of Information Breach | ||||||
| Desktop computer | 28 | 35 | 23 | 39 | 29 | 29 |
| Electronic medical record | 3 | 6 | 6 | 14 | 14 | 16 |
| 5 | 2 | 10 | 20 | 36 | 37 | |
| Laptop | 50 | 38 | 51 | 67 | 42 | 38 |
| Network server | 17 | 16 | 20 | 30 | 46 | 41 (34 of these breaches involved a hacking/IT incident) |
| Paper/Film | 46 | 45 | 47 | 53 | 62 | 67 |
| Portable Electronic Device | 6 | 2 | 19 | 20 | 22 | 15 |
| Other source | 42 | 50 | 26 | 24 | 34 | 22 |
| Note: Each count above is the total number of reported breach incidents of the specific information source and the breach type. Individual reports of a breach may involve one or more information sources, i.e. laptop, e-mail, etc, and one or more breach types, i.e. theft, loss, etc. In those cases, there may be double-counting of the number of reported incidents or reported breaches in a specific year. | ||||||
| Source: U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals. February 1, 2016. | ||||||
- The HIPAA Breach Notification Rule, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html, requires health care providers, health plans, and other HIPAA covered entities to notify affected individuals when their health information is breached, as well as the HHS Secretary and the media where a breach affects more than 500 individuals. As required by section 13402(e)(4) of the HITECH Act, the Secretary of HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
- A breach may involve any of the following types of incidents: theft, loss, hacking/IT incident, improper disposal, unauthorized access/disclosure, other, or unknown (not reported or data missing).
- Breach incidents may involve any of the following information, information technology, or devices: paper/films, network server, laptop, desktop computer, e-mail, electronic medical record, other portable electronic device, or other.