Gartner Blog Network


2015 Healthcare Breach Trends. The Wild West of Healthcare Data.

by Jack Santos  |  January 7, 2016  |  Comments Off on 2015 Healthcare Breach Trends. The Wild West of Healthcare Data.

This is my 6th year of analyzing healthcare breaches reported to HHS.  This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010,   20112012, 2013, and 2014.

But, OMG, it’s been quite a ride, and very eye opening.

By 2012 I made the prognostication that by 2024 everyone in the US would have their healthcare data exposed – “in the wild”.  Well, folks, I was wrong.  Four years in and we are well beyond half way to that dubious milestone, with 8 years to go. That event may happen by 2020.

But the data does not account for duplicates – the same person getting breached multiple times.

Of course, having the data breached is a far cry from having it misused. One could argue that breaches are so common, I am merely counting cars on the highway, and expecting deliberate accidents from that.  And maybe that analogy holds.  We may  suffer the consequences of misuse of our healthcare data someday in our lives.  We are well down that road with financial data (which has often been closely tied to healthcare breaches), and there are few people alive that haven’t experienced some level of identity theft or fraud.

This Chart tells the story of 2015:
2015 graph

 

 

 

 

 

 

 

 

The Hall of Shame for 2015:

These are the companies that topped the list for number of people affected by a breach:

Company State Company Type Number of Individuals Breached
Anthem, Inc. Affiliated Covered Entity IN Health Plan 78,800,000 03/13/2015
Premera Blue Cross WA Health Plan 11,000,000 03/17/2015
Excellus Health Plan, Inc. NY Health Plan 10,000,000 09/09/2015
University of California, Los Angeles Health CA Healthcare Provider 4,500,000 07/17/2015

This year I am including anyone whose single annual breach count exceeded the total of all breaches  for everyone last year (4.5 Million)….

 

States with the highest number of breaches in 2015

These are, of course, affected by where the corporate headquarters are located for major national carriers.  Surprisingly, Connecticut (arguably the “Insurance Capital of the World” with Cigna and Aetna) didn’t even come close to making the list.  I’ll leave it to the reader to speculate why.

Indiana  Thanks to Anthem, whose headquarters are there 83,159,421
New York  Excellus Health Plan was the single biggest 10,203,009
California  Univ of California contributed the bulk 4,746,278
Washington State  Premera Blue Cross was the biggest contributor 11,006,133

Maybe it’s time for regulations and inspections that are strengthened at the state level?

 

Type of Breaches

In 2010, hacking was less than 10% of the total breaches, theft and losses were over 50% combined.  We have come a long way, baby, with the combined total of unauthorized access and hacking now accounting for over 60% of breaches.  The y-axis is total number of reports.

2015 graph type

 

 

 

 

 

 

 

 

 

 

 

Recidivism 

Two companies stuck out like a sore thumb, I am sorry to say.  OTOH, it may be that these organizations are just much better, and more diligent at reporting breaches.  They have  consistently had breaches in multiple years.  It’s interesting that they are both in the retail pharmacy business, and none of the breaches were significantly attributable to hacking – mostly theft  (hmmm…that distinction could be interesting. A blog post for another time). In all fairness, the CVS numbers reflect the acquisition of Caremark, which seemed to have their string of breaches dragged along into the purchase.

 

Walgreen Co. IL Healthcare Provider 1240 07/30/2012 Theft
Healthcare Provider 17350 12/06/2013 Other
Healthcare Provider 540 06/06/2014 Theft
Healthcare Provider 160000 12/15/2014 Other
Healthcare Provider 1138 05/01/2015 Loss
Healthcare Provider 8345 08/07/2015 Unauthorized Access/Disclosure

 

CVS CAREMARK AZ Healthcare Provider 654 05/11/2011 Theft, Unauthorized Access/Disclosure
CVS Caremark RI Healthcare Provider 955 10/26/2012 Theft
CVS Caremark AZ Business Associate 4305 07/02/2013 Theft
CVS Health RI Healthcare Provider 12914 06/26/2015 Theft

 

Final Thoughts

There is one glaring issue with these statistics, as compiled by The U.S. Department of Health and Human Services.  Where is the Federal Government?  Especially with the advent of the Affordable Care Act, a significant amount of personal health data is being handled by state and federal agencies – through health care exchange websites (indirectly), clearinghouses, or by the Veterans Administration (directly).  Yet, we are led to believe that there have been no (or relatively minor ) breaches of data handled by the public sector at the national level.  Is the lack of reporting by federal agencies deliberate? an oversight?  Or does the reporting database reflect a significant UNDERREPORTING of breach data – and even more so by Federal agencies (I suspect it does).  It’s one thing to deliver on excellent transparency through this breach reporting effort the HHS has given us.  It’s another to not include all the major health care data players.

I am looking forward to what 2016 brings in this world of secrets, and privacy, unleashed…..

 

Additional Resources

Category: healthcare  it-governance  managment  security  technology-and-emerging-trends  

Jack Santos
Research VP
7 years at Gartner
40 years IT industry

Jack Santos is a Research Vice President with Gartner, part of the Enterprise Architecture and Technology Innovation team within the Gartner for IT Leaders product. He focuses on enterprise architecture and technology trends. Mr. Santos' specific area of research covers individual development, leadership and management practices for enterprise architects, EA innovation, and collaboration approaches. Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.