Blog post

2014 Healthcare Breaches…Will Anthem blow it away in 2015?

By Jack Santos | February 05, 2015 | 0 Comments

Timing is everything, especially with this morning’s announcements of 80M records stolen from Anthem.  I just completed this analysis of HHS healthcare breach reporting data.

By all reports, the Anthem records certainly contain personal information; they MAY contain Protected Health Information – if so they would be covered by HIPAA and HHS regulations. Time will tell. Were that true, it could be the single largest healthcare breach ever, and we’ll be well on our way of achieving my scenario analysis that EVERYONE IN THE U.S. WILL HAVE THEIR HEALTH INFORMATION IN THE WILD BY 2024 (scenario #3 from this blog post).

If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security.  Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers.  Prior year’s observations are here for 2010,   20112012, and 2013.

A few observations:

  • 2014 didn’t quite achieve the all-time breach level of 2011 – a year when 3 companies accounted for nearly 8 million individuals being affected by a healthcare record breach.  But it was close. The 80M reported Anthem breach of 2015 could dwarf all prior breaches.
  • Community Health Systems Professional Services Corporation in Tennessee joined a very exclusive group – “The over 4 Million Records Breached” club. Advocate Health in Illinois and TRICARE in Virginia are the other members.  The next largest breaches are from Xerox State Healthcare, LLC in Texas (2 Million) and by IBM working for Health Net in California (just under 2M).
  • We are close to 40M healthcare records breached to date…and that’s ONLY counting the HHS reporting of those involving over 500 individuals at a time.  I question how accurate that database is, and how long the tail is regarding <500 individuals.  I suspect that as much as 20% of the US population (60M) now have their healthcare records “out in the wild”.  But that is just a guess.

Notes on methodology:

  • Reporting has gotten more creative, and breaches are over longer lengths of time (spanning years) – that is a troubling fact which reflects that either criminals are spending more time in infiltrated systems undetected, or we just don’t know for sure when they got in, and when the breach was mitigated.   That is a troubling turn of events.  Nonetheless, I have adjusted 2013 and 2014 to reflect the number as of the date the breach ended, or was reported on.

There is a positive side to these numbers. The level of recidivism has declined sharply.  Our usual suspects that appeared multiple times in prior years reports didn’t show up this year, and nothing unusual pops out in terms of repeat offenders.  Let me know if you see the data differently. There is hope that one can learn from a careful analysis of past breaches.

One of my colleagues suggested collating the breach occurrences to level of HIPAA fines…a  project for another day…

Here’s what the number of breaches over the past six years, based on government data, looks like:

Breach 2014

Then there is the hall of shame for 2014:

   Provider  State Number of members affected
Community Health Systems Professional Services Corporation TN 4,500,000
Xerox State Healthcare, LLC TX 2,000,000
Sutherland Healthcare Solutions, Inc. NJ 1,062,509


For those of you keeping track, here are the prior years Top 3:

   Provider  State Number of members affected
AvMed, Inc. FL 1,220,000
BlueCross BlueShield of Tennessee, Inc. TN 1,023,209
Affinity Health Plan, Inc. NY 344,579
New York City Health & Hospitals Corporation’s North Bronx Healthcare Network/GRM Information Management Services NY 1,700,000
South Shore Hospital/ Iron Mountain Data Products, Inc. MA 800,000
Triple-S Salud, Inc./ Triple-C, Inc. PR 398,000
TRICARE Management Activity (TMA)/ Science Applications International Corporation VA 4,900,000
Health Net, Inc./ IBM CA 1,900,000
The Nemours Foundation FL 1,055,489
Utah Department of Health/ Utah Department of Technology Services UT 780,000
Emory Healthcare GA 315,000
South Carolina Department of Health and Human Services SC 228,435
Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL 4,029,530
Horizon Blue Cross Blue Shield of New Jersey/  Horizon Healthcare Services, Inc., NJ 839,711
AHMC Healthcare Inc. and affiliated Hospitals CA 729,000


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed