This is my 6th year of analyzing healthcare breaches reported to HHS. This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010, 2011, 2012, 2013, and 2014.
But, OMG, it’s been quite a ride, and very eye opening.
By 2012 I made the prognostication that by 2024 everyone in the US would have their healthcare data exposed – “in the wild”. Well, folks, I was wrong. Four years in and we are well beyond half way to that dubious milestone, with 8 years to go. That event may happen by 2020.
But the data does not account for duplicates – the same person getting breached multiple times.
Of course, having the data breached is a far cry from having it misused. One could argue that breaches are so common, I am merely counting cars on the highway, and expecting deliberate accidents from that. And maybe that analogy holds. We may suffer the consequences of misuse of our healthcare data someday in our lives. We are well down that road with financial data (which has often been closely tied to healthcare breaches), and there are few people alive that haven’t experienced some level of identity theft or fraud.
This Chart tells the story of 2015:
The Hall of Shame for 2015:
These are the companies that topped the list for number of people affected by a breach:
Company | State | Company Type | Number of Individuals Breached | |
Anthem, Inc. Affiliated Covered Entity | IN | Health Plan | 78,800,000 | 03/13/2015 |
Premera Blue Cross | WA | Health Plan | 11,000,000 | 03/17/2015 |
Excellus Health Plan, Inc. | NY | Health Plan | 10,000,000 | 09/09/2015 |
University of California, Los Angeles Health | CA | Healthcare Provider | 4,500,000 | 07/17/2015 |
This year I am including anyone whose single annual breach count exceeded the total of all breaches for everyone last year (4.5 Million)….
States with the highest number of breaches in 2015
These are, of course, affected by where the corporate headquarters are located for major national carriers. Surprisingly, Connecticut (arguably the “Insurance Capital of the World” with Cigna and Aetna) didn’t even come close to making the list. I’ll leave it to the reader to speculate why.
Indiana | Thanks to Anthem, whose headquarters are there | 83,159,421 |
New York | Excellus Health Plan was the single biggest | 10,203,009 |
California | Univ of California contributed the bulk | 4,746,278 |
Washington State | Premera Blue Cross was the biggest contributor | 11,006,133 |
Maybe it’s time for regulations and inspections that are strengthened at the state level?
Type of Breaches
In 2010, hacking was less than 10% of the total breaches, theft and losses were over 50% combined. We have come a long way, baby, with the combined total of unauthorized access and hacking now accounting for over 60% of breaches. The y-axis is total number of reports.
Recidivism
Two companies stuck out like a sore thumb, I am sorry to say. OTOH, it may be that these organizations are just much better, and more diligent at reporting breaches. They have consistently had breaches in multiple years. It’s interesting that they are both in the retail pharmacy business, and none of the breaches were significantly attributable to hacking – mostly theft (hmmm…that distinction could be interesting. A blog post for another time). In all fairness, the CVS numbers reflect the acquisition of Caremark, which seemed to have their string of breaches dragged along into the purchase.
Walgreen Co. | IL | Healthcare Provider | 1240 | 07/30/2012 | Theft |
Healthcare Provider | 17350 | 12/06/2013 | Other | ||
Healthcare Provider | 540 | 06/06/2014 | Theft | ||
Healthcare Provider | 160000 | 12/15/2014 | Other | ||
Healthcare Provider | 1138 | 05/01/2015 | Loss | ||
Healthcare Provider | 8345 | 08/07/2015 | Unauthorized Access/Disclosure |
CVS CAREMARK | AZ | Healthcare Provider | 654 | 05/11/2011 | Theft, Unauthorized Access/Disclosure |
CVS Caremark | RI | Healthcare Provider | 955 | 10/26/2012 | Theft |
CVS Caremark | AZ | Business Associate | 4305 | 07/02/2013 | Theft |
CVS Health | RI | Healthcare Provider | 12914 | 06/26/2015 | Theft |
Final Thoughts
There is one glaring issue with these statistics, as compiled by The U.S. Department of Health and Human Services. Where is the Federal Government? Especially with the advent of the Affordable Care Act, a significant amount of personal health data is being handled by state and federal agencies – through health care exchange websites (indirectly), clearinghouses, or by the Veterans Administration (directly). Yet, we are led to believe that there have been no (or relatively minor ) breaches of data handled by the public sector at the national level. Is the lack of reporting by federal agencies deliberate? an oversight? Or does the reporting database reflect a significant UNDERREPORTING of breach data – and even more so by Federal agencies (I suspect it does). It’s one thing to deliver on excellent transparency through this breach reporting effort the HHS has given us. It’s another to not include all the major health care data players.
I am looking forward to what 2016 brings in this world of secrets, and privacy, unleashed…..
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed