Gartner Blog Network


2014 Healthcare Breaches…Will Anthem blow it away in 2015?

by Jack Santos  |  February 5, 2015  |  Comments Off on 2014 Healthcare Breaches…Will Anthem blow it away in 2015?

Timing is everything, especially with this morning’s announcements of 80M records stolen from Anthem.  I just completed this analysis of HHS healthcare breach reporting data.

By all reports, the Anthem records certainly contain personal information; they MAY contain Protected Health Information – if so they would be covered by HIPAA and HHS regulations. Time will tell. Were that true, it could be the single largest healthcare breach ever, and we’ll be well on our way of achieving my scenario analysis that EVERYONE IN THE U.S. WILL HAVE THEIR HEALTH INFORMATION IN THE WILD BY 2024 (scenario #3 from this blog post).

If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security.  Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers.  Prior year’s observations are here for 2010,   20112012, and 2013.

A few observations:

  • 2014 didn’t quite achieve the all-time breach level of 2011 – a year when 3 companies accounted for nearly 8 million individuals being affected by a healthcare record breach.  But it was close. The 80M reported Anthem breach of 2015 could dwarf all prior breaches.
  • Community Health Systems Professional Services Corporation in Tennessee joined a very exclusive group – “The over 4 Million Records Breached” club. Advocate Health in Illinois and TRICARE in Virginia are the other members.  The next largest breaches are from Xerox State Healthcare, LLC in Texas (2 Million) and by IBM working for Health Net in California (just under 2M).
  • We are close to 40M healthcare records breached to date…and that’s ONLY counting the HHS reporting of those involving over 500 individuals at a time.  I question how accurate that database is, and how long the tail is regarding <500 individuals.  I suspect that as much as 20% of the US population (60M) now have their healthcare records “out in the wild”.  But that is just a guess.

Notes on methodology:

  • Reporting has gotten more creative, and breaches are over longer lengths of time (spanning years) – that is a troubling fact which reflects that either criminals are spending more time in infiltrated systems undetected, or we just don’t know for sure when they got in, and when the breach was mitigated.   That is a troubling turn of events.  Nonetheless, I have adjusted 2013 and 2014 to reflect the number as of the date the breach ended, or was reported on.

There is a positive side to these numbers. The level of recidivism has declined sharply.  Our usual suspects that appeared multiple times in prior years reports didn’t show up this year, and nothing unusual pops out in terms of repeat offenders.  Let me know if you see the data differently. There is hope that one can learn from a careful analysis of past breaches.

One of my colleagues suggested collating the breach occurrences to level of HIPAA fines…a  project for another day…

Here’s what the number of breaches over the past six years, based on government data, looks like:

Breach 2014

Then there is the hall of shame for 2014:

   Provider  State Number of members affected
Community Health Systems Professional Services Corporation TN 4,500,000
Xerox State Healthcare, LLC TX 2,000,000
Sutherland Healthcare Solutions, Inc. NJ 1,062,509

 

For those of you keeping track, here are the prior years Top 3:

   Provider  State Number of members affected
2009
AvMed, Inc. FL 1,220,000
BlueCross BlueShield of Tennessee, Inc. TN 1,023,209
Affinity Health Plan, Inc. NY 344,579
2010
New York City Health & Hospitals Corporation’s North Bronx Healthcare Network/GRM Information Management Services NY 1,700,000
South Shore Hospital/ Iron Mountain Data Products, Inc. MA 800,000
Triple-S Salud, Inc./ Triple-C, Inc. PR 398,000
 2011
TRICARE Management Activity (TMA)/ Science Applications International Corporation VA 4,900,000
Health Net, Inc./ IBM CA 1,900,000
The Nemours Foundation FL 1,055,489
 2012
Utah Department of Health/ Utah Department of Technology Services UT 780,000
Emory Healthcare GA 315,000
South Carolina Department of Health and Human Services SC 228,435
 2013
Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group IL 4,029,530
Horizon Blue Cross Blue Shield of New Jersey/  Horizon Healthcare Services, Inc., NJ 839,711
AHMC Healthcare Inc. and affiliated Hospitals CA 729,000

 

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: 

Jack Santos
Research VP
7 years at Gartner
40 years IT industry

Jack Santos is a Research Vice President with Gartner, part of the Enterprise Architecture and Technology Innovation team within the Gartner for IT Leaders product. He focuses on enterprise architecture and technology trends. Mr. Santos' specific area of research covers individual development, leadership and management practices for enterprise architects, EA innovation, and collaboration approaches. Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.