If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security. Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers. Prior years observations are here for 2010, here for 2011, and here for 2012.
This year I firmed up our counting rules. For example, I count all the multi-year breach counts in the year that the last breach report ended. So there are some slight variations from prior years reporting.
A couple of observations:
- 2012 now seems to have been an anomaly around breach reporting, we got back on a growth track in 2013 for breaches. Something to look forward to (uggh).
- We are at 30 Million individually identifiable healthcare records that were breached to date. In four years we have exposed protected health information for 10% of the population. I don’t think this cadence of breaches will change – in fact it may very well accelerate. Get ready for a world where your health info is readily available – legitimately or not.
- There is a whole lot of press on the 40 Million credit card numbers that were hacked at Target. That’s an estimate, probably at the high end, and we don’t know how many of those were (or are) still valid numbers. Not a word in the media about the 30 Million healthcare records out in the wild. Healthcare is more than just about “What’s in your wallet” (apologies to Capital One). That said, stolen credit card numbers are easily monetized, while stolen (or lost) healthcare records are a whole different story (note that some of these breaches included card numbers). Which one is the more serious breach type, I’ll leave to a discussion for another day.
- In 2013 Advocate Health in Illinois joined a very exclusive club – “The Over 4 Million Records Breached” club. There is only one other member – TRICARE in Virginia. The next largest breach of all time is almost 2M Million records – ostensibly by IBM working for Health Net in California.
Here’s what the number of breaches over the past four years, based on government data , looks like:
Then there is the hall of shame. Let’s recap the top 3 largest breaches by year:
| Provider | State | Business Partner | Number of members affected | |
| 2009 | ||||
| AvMed, Inc. | FL | 1,220,000 | ||
| BlueCross BlueShield of Tennessee, Inc. | TN | 1,023,209 | ||
| Affinity Health Plan, Inc. | NY | 344,579 |
| 2010 | ||||
| New York City Health & Hospitals Corporation’s North Bronx Healthcare Network | NY | GRM Information Management Services | 1,700,000 | |
| South Shore Hospital | MA | Iron Mountain Data Products, Inc. (now known as | 800,000 | |
| Triple-S Salud, Inc. | PR | Triple-C, Inc. | 398,000 |
| 2011 | ||||
| TRICARE Management Activity (TMA) | VA | Science Applications International Corporation (SA | 4,900,000 | |
| Health Net, Inc. | CA | IBM | 1,900,000 | |
| The Nemours Foundation | FL | 1,055,489 |
| 2012 | ||||
| Utah Department of Health | UT | Utah Department of Technology Services | 780,000 | |
| Emory Healthcare | GA | 315,000 | ||
| South Carolina Department of Health and Human Services | SC | 228,435 |
| 2013 | ||||
| Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | IL | 4,029,530 | ||
| Horizon Blue Cross Blue Shield of New Jersey | NJ | Horizon Healthcare Services, Inc., | 839,711 | |
| AHMC Healthcare Inc. and affiliated Hospitals | CA | 729,000 |
And from the “will they ever learn?” department, these cases jump out:
| Utah Department of Health | UT | 2010 |
1,298 |
| 2012 |
780,000 |
||
| 2013 |
6,332 |
| Indiana Family & Social Services Administration | IN | 2013 |
187,533 |
| 2010 |
757 |
| Health Net, Inc. | CA | 2013 |
8,331 |
| 2011 |
1,900,000 |
| Cook County Health & Hospitals System | IL | 2010 |
556 |
| 2010 |
7,081 |
||
| 2013 |
22,511 |
||
| 2011 |
32,008 |
Can’t wait to see what happens in 2014….
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed