by Jack Santos | February 5, 2015 | Comments Off on 2014 Healthcare Breaches…Will Anthem blow it away in 2015?
Timing is everything, especially with this morning’s announcements of 80M records stolen from Anthem. I just completed this analysis of HHS healthcare breach reporting data.
By all reports, the Anthem records certainly contain personal information; they MAY contain Protected Health Information – if so they would be covered by HIPAA and HHS regulations. Time will tell. Were that true, it could be the single largest healthcare breach ever, and we’ll be well on our way of achieving my scenario analysis that EVERYONE IN THE U.S. WILL HAVE THEIR HEALTH INFORMATION IN THE WILD BY 2024 (scenario #3 from this blog post).
If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security. Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers. Prior year’s observations are here for 2010, 2011, 2012, and 2013.
A few observations:
- 2014 didn’t quite achieve the all-time breach level of 2011 – a year when 3 companies accounted for nearly 8 million individuals being affected by a healthcare record breach. But it was close. The 80M reported Anthem breach of 2015 could dwarf all prior breaches.
- Community Health Systems Professional Services Corporation in Tennessee joined a very exclusive group – “The over 4 Million Records Breached” club. Advocate Health in Illinois and TRICARE in Virginia are the other members. The next largest breaches are from Xerox State Healthcare, LLC in Texas (2 Million) and by IBM working for Health Net in California (just under 2M).
- We are close to 40M healthcare records breached to date…and that’s ONLY counting the HHS reporting of those involving over 500 individuals at a time. I question how accurate that database is, and how long the tail is regarding <500 individuals. I suspect that as much as 20% of the US population (60M) now have their healthcare records “out in the wild”. But that is just a guess.
Notes on methodology:
- Reporting has gotten more creative, and breaches are over longer lengths of time (spanning years) – that is a troubling fact which reflects that either criminals are spending more time in infiltrated systems undetected, or we just don’t know for sure when they got in, and when the breach was mitigated. That is a troubling turn of events. Nonetheless, I have adjusted 2013 and 2014 to reflect the number as of the date the breach ended, or was reported on.
There is a positive side to these numbers. The level of recidivism has declined sharply. Our usual suspects that appeared multiple times in prior years reports didn’t show up this year, and nothing unusual pops out in terms of repeat offenders. Let me know if you see the data differently. There is hope that one can learn from a careful analysis of past breaches.
One of my colleagues suggested collating the breach occurrences to level of HIPAA fines…a project for another day…
Here’s what the number of breaches over the past six years, based on government data, looks like:
Then there is the hall of shame for 2014:
|Provider||State||Number of members affected|
|Community Health Systems Professional Services Corporation||TN||4,500,000|
|Xerox State Healthcare, LLC||TX||2,000,000|
|Sutherland Healthcare Solutions, Inc.||NJ||1,062,509|
For those of you keeping track, here are the prior years Top 3:
|Provider||State||Number of members affected|
|BlueCross BlueShield of Tennessee, Inc.||TN||1,023,209|
|Affinity Health Plan, Inc.||NY||344,579|
|New York City Health & Hospitals Corporation’s North Bronx Healthcare Network/GRM Information Management Services||NY||1,700,000|
|South Shore Hospital/ Iron Mountain Data Products, Inc.||MA||800,000|
|Triple-S Salud, Inc./ Triple-C, Inc.||PR||398,000|
|TRICARE Management Activity (TMA)/ Science Applications International Corporation||VA||4,900,000|
|Health Net, Inc./ IBM||CA||1,900,000|
|The Nemours Foundation||FL||1,055,489|
|Utah Department of Health/ Utah Department of Technology Services||UT||780,000|
|South Carolina Department of Health and Human Services||SC||228,435|
|Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group||IL||4,029,530|
|Horizon Blue Cross Blue Shield of New Jersey/ Horizon Healthcare Services, Inc.,||NJ||839,711|
|AHMC Healthcare Inc. and affiliated Hospitals||CA||729,000|
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.