Blog post

2013 Healthcare Breach Report

By Jack Santos | April 14, 2014 | 0 Comments

If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security.  Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers.  Prior years observations are here for 2010,  here for 2011, and here for 2012.

This year I firmed up our counting rules.  For example, I count all the multi-year breach counts in the year that the last breach report ended.  So there are some slight variations from prior years reporting.

A couple of observations:

  • 2012 now seems to have been an anomaly around breach reporting, we got back on a growth track in 2013 for breaches.  Something to look forward to (uggh).
  • We are at 30 Million individually identifiable healthcare records that were breached to date.  In four years we have exposed protected health information for 10% of the population.  I don’t think this cadence of breaches will change – in fact it may very well accelerate.  Get ready for a world where your health info is readily available – legitimately or not.
  • There is a whole lot of press on the 40 Million credit card numbers that were hacked at Target.  That’s an estimate, probably at the high end, and we don’t know how many of those were (or are) still valid numbers.  Not a word in the media about the 30 Million healthcare records out in the wild.  Healthcare is more than just about “What’s in your wallet” (apologies to Capital One).  That said, stolen credit card numbers are easily monetized, while stolen (or lost) healthcare records are a whole different story (note that some of these breaches included card numbers).  Which one is the more serious breach type, I’ll leave to a discussion for another day.
  • In 2013 Advocate Health in Illinois  joined a very exclusive club –  “The Over 4 Million Records Breached” club.  There is only one other member – TRICARE in Virginia.  The next largest breach of all time is almost 2M Million records – ostensibly by IBM working for Health Net in California.

Here’s what the number of breaches over the past four years, based on government data , looks like:


2013 Healthcare breaches


Then there is the hall of shame.  Let’s recap the top 3 largest breaches by year:


   Provider  State  Business Partner Number of members affected
AvMed, Inc. FL 1,220,000
BlueCross BlueShield of Tennessee, Inc. TN 1,023,209
Affinity Health Plan, Inc. NY 344,579


New York City Health & Hospitals Corporation’s North Bronx Healthcare Network NY GRM Information Management Services 1,700,000
South Shore Hospital MA Iron Mountain Data Products, Inc. (now known as 800,000
Triple-S Salud, Inc. PR Triple-C, Inc. 398,000


TRICARE Management Activity (TMA) VA Science Applications International Corporation (SA 4,900,000
Health Net, Inc. CA IBM 1,900,000
The Nemours Foundation FL 1,055,489


Utah Department of Health UT Utah Department of Technology Services 780,000
Emory Healthcare GA 315,000
South Carolina Department of Health and Human Services SC 228,435


Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL 4,029,530
Horizon Blue Cross Blue Shield of New Jersey NJ Horizon Healthcare Services, Inc., 839,711
AHMC Healthcare Inc. and affiliated Hospitals CA 729,000


And from the “will they ever learn?” department, these cases jump out:

Utah Department of Health UT 2010







Indiana Family & Social Services Administration IN 2013





Health Net, Inc. CA  2013





Cook County Health & Hospitals System IL 2010









Can’t wait to see what happens in 2014….



The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed