Gartner Blog Network


2016 Healthcare Security – The Breach Goes on

by Jack Santos  |  February 9, 2017  |  2 Comments

This is my 7th year of analyzing healthcare breaches reported to HHS.  This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010,   20112012, 2013, and 2014, 2016.

As I suspected, 2015 will go down as an unprecedented year.  2016 returns us to the “normal” growth rate we experienced from 2009 to 2014.

Yet, we continue to be on track for my prognostication of every individual in the United States will have their healthcare breached by 2024 – and possibly well before that.   Of course, that doesn’t account for  duplicates – the same person getting breached multiple times.

This chart tells the story of 2016 (click for a larger image):

2016-hc-1

 

The Hall of Shame for 2016

These are the companies that topped the list for number of people affected by a breach…

Banner Health AZ Healthcare Provider 3,620,000
Newkirk Products, Inc. NY Business Associate 3,466,120
21st Century Oncology FL Healthcare Provider 2,213,597

 

And states with the highest number of breaches in 2016…

State Number of Breaches Reported Number of Individuals Affected
CA 40           1,438,714
FL 28           2,872,912
NY 16           3,589,254

One state deserves special mention; they achieved the highest count of individuals breached, while at a lower count of total breaches:
Arizona at 9 total breaches, affecting a whopping  4,524,278 individuals.

Type of Breach

While other types of breaches stayed relatively the same,  hacking and unauthorized access breaches showed significant increases, accounting for 74% of the total (by incident):

hc-3

hc-pic-2

Repeat Breaches

I usually report on organizations that have multiple breaches in a single year. Who didn’t learn their lesson?  Well, suffice it to say, the single year numbers are almost nonexistent, with the exception of the County of Los Angeles, which incurred two incidents for a total of 749,760 people affected.

Final Thoughts

I suspect these numbers don’t tell the full story.  We may be experiencing gross underreporting, since almost all of the reports are on the honor system.  I don’t believe these reports take into account ransomware attacks, where data is now in the hands of nefarious attackers, but quietly set aside (or even publicly released through the dark web).

Will 2017 be another major outbreak of breaches (like 2015) or continue the upward growth from prior years, like 2016 did??  Time will tell…

Category: healthcare  security  

Jack Santos
Research VP
7 years at Gartner
40 years IT industry

Jack Santos is a Research Vice President with Gartner, part of the Enterprise Architecture and Technology Innovation team within the Gartner for IT Leaders product. He focuses on enterprise architecture and technology trends. Mr. Santos' specific area of research covers individual development, leadership and management practices for enterprise architects, EA innovation, and collaboration approaches. Read Full Bio


Thoughts on 2016 Healthcare Security – The Breach Goes on


  1. Edward says:

    Excellent blog. This blog has a lot of information regarding my needs. I’ll definitely put it to good use.

  2. Policysutra says:

    The breaches are surely under-reported since most of the times a coverup is mandated. Still the number is staggering and it should be something that can’t be overlooked in long term.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.