Gartner Blog Network

2013 Healthcare Breach Report

by Jack Santos  |  April 14, 2014  |  Comments Off on 2013 Healthcare Breach Report

If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security.  Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers.  Prior years observations are here for 2010,  here for 2011, and here for 2012.

This year I firmed up our counting rules.  For example, I count all the multi-year breach counts in the year that the last breach report ended.  So there are some slight variations from prior years reporting.

A couple of observations:

  • 2012 now seems to have been an anomaly around breach reporting, we got back on a growth track in 2013 for breaches.  Something to look forward to (uggh).
  • We are at 30 Million individually identifiable healthcare records that were breached to date.  In four years we have exposed protected health information for 10% of the population.  I don’t think this cadence of breaches will change – in fact it may very well accelerate.  Get ready for a world where your health info is readily available – legitimately or not.
  • There is a whole lot of press on the 40 Million credit card numbers that were hacked at Target.  That’s an estimate, probably at the high end, and we don’t know how many of those were (or are) still valid numbers.  Not a word in the media about the 30 Million healthcare records out in the wild.  Healthcare is more than just about “What’s in your wallet” (apologies to Capital One).  That said, stolen credit card numbers are easily monetized, while stolen (or lost) healthcare records are a whole different story (note that some of these breaches included card numbers).  Which one is the more serious breach type, I’ll leave to a discussion for another day.
  • In 2013 Advocate Health in Illinois  joined a very exclusive club –  “The Over 4 Million Records Breached” club.  There is only one other member – TRICARE in Virginia.  The next largest breach of all time is almost 2M Million records – ostensibly by IBM working for Health Net in California.

Here’s what the number of breaches over the past four years, based on government data , looks like:


2013 Healthcare breaches


Then there is the hall of shame.  Let’s recap the top 3 largest breaches by year:


   Provider  State  Business Partner Number of members affected
AvMed, Inc. FL 1,220,000
BlueCross BlueShield of Tennessee, Inc. TN 1,023,209
Affinity Health Plan, Inc. NY 344,579


New York City Health & Hospitals Corporation’s North Bronx Healthcare Network NY GRM Information Management Services 1,700,000
South Shore Hospital MA Iron Mountain Data Products, Inc. (now known as 800,000
Triple-S Salud, Inc. PR Triple-C, Inc. 398,000


TRICARE Management Activity (TMA) VA Science Applications International Corporation (SA 4,900,000
Health Net, Inc. CA IBM 1,900,000
The Nemours Foundation FL 1,055,489


Utah Department of Health UT Utah Department of Technology Services 780,000
Emory Healthcare GA 315,000
South Carolina Department of Health and Human Services SC 228,435


Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL 4,029,530
Horizon Blue Cross Blue Shield of New Jersey NJ Horizon Healthcare Services, Inc., 839,711
AHMC Healthcare Inc. and affiliated Hospitals CA 729,000


And from the “will they ever learn?” department, these cases jump out:

Utah Department of Health UT 2010







Indiana Family & Social Services Administration IN 2013





Health Net, Inc. CA  2013





Cook County Health & Hospitals System IL 2010









Can’t wait to see what happens in 2014….



Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: fun  healthcare  security  

Tags: data-management  healthcare  security  

Jack Santos
Research VP
7 years at Gartner
40 years IT industry

Jack Santos is a Research Vice President with Gartner, part of the Enterprise Architecture and Technology Innovation team within the Gartner for IT Leaders product. He focuses on enterprise architecture and technology trends. Mr. Santos' specific area of research covers individual development, leadership and management practices for enterprise architects, EA innovation, and collaboration approaches. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.