Blog post

2015 Healthcare Breach Trends. The Wild West of Healthcare Data.

By Jack Santos | January 07, 2016 | 0 Comments

This is my 6th year of analyzing healthcare breaches reported to HHS.  This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010,   20112012, 2013, and 2014.

But, OMG, it’s been quite a ride, and very eye opening.

By 2012 I made the prognostication that by 2024 everyone in the US would have their healthcare data exposed – “in the wild”.  Well, folks, I was wrong.  Four years in and we are well beyond half way to that dubious milestone, with 8 years to go. That event may happen by 2020.

But the data does not account for duplicates – the same person getting breached multiple times.

Of course, having the data breached is a far cry from having it misused. One could argue that breaches are so common, I am merely counting cars on the highway, and expecting deliberate accidents from that.  And maybe that analogy holds.  We may  suffer the consequences of misuse of our healthcare data someday in our lives.  We are well down that road with financial data (which has often been closely tied to healthcare breaches), and there are few people alive that haven’t experienced some level of identity theft or fraud.

This Chart tells the story of 2015:
2015 graph









The Hall of Shame for 2015:

These are the companies that topped the list for number of people affected by a breach:

Company State Company Type Number of Individuals Breached
Anthem, Inc. Affiliated Covered Entity IN Health Plan 78,800,000 03/13/2015
Premera Blue Cross WA Health Plan 11,000,000 03/17/2015
Excellus Health Plan, Inc. NY Health Plan 10,000,000 09/09/2015
University of California, Los Angeles Health CA Healthcare Provider 4,500,000 07/17/2015

This year I am including anyone whose single annual breach count exceeded the total of all breaches  for everyone last year (4.5 Million)….


States with the highest number of breaches in 2015

These are, of course, affected by where the corporate headquarters are located for major national carriers.  Surprisingly, Connecticut (arguably the “Insurance Capital of the World” with Cigna and Aetna) didn’t even come close to making the list.  I’ll leave it to the reader to speculate why.

Indiana  Thanks to Anthem, whose headquarters are there 83,159,421
New York  Excellus Health Plan was the single biggest 10,203,009
California  Univ of California contributed the bulk 4,746,278
Washington State  Premera Blue Cross was the biggest contributor 11,006,133

Maybe it’s time for regulations and inspections that are strengthened at the state level?


Type of Breaches

In 2010, hacking was less than 10% of the total breaches, theft and losses were over 50% combined.  We have come a long way, baby, with the combined total of unauthorized access and hacking now accounting for over 60% of breaches.  The y-axis is total number of reports.

2015 graph type













Two companies stuck out like a sore thumb, I am sorry to say.  OTOH, it may be that these organizations are just much better, and more diligent at reporting breaches.  They have  consistently had breaches in multiple years.  It’s interesting that they are both in the retail pharmacy business, and none of the breaches were significantly attributable to hacking – mostly theft  (hmmm…that distinction could be interesting. A blog post for another time). In all fairness, the CVS numbers reflect the acquisition of Caremark, which seemed to have their string of breaches dragged along into the purchase.


Walgreen Co. IL Healthcare Provider 1240 07/30/2012 Theft
Healthcare Provider 17350 12/06/2013 Other
Healthcare Provider 540 06/06/2014 Theft
Healthcare Provider 160000 12/15/2014 Other
Healthcare Provider 1138 05/01/2015 Loss
Healthcare Provider 8345 08/07/2015 Unauthorized Access/Disclosure


CVS CAREMARK AZ Healthcare Provider 654 05/11/2011 Theft, Unauthorized Access/Disclosure
CVS Caremark RI Healthcare Provider 955 10/26/2012 Theft
CVS Caremark AZ Business Associate 4305 07/02/2013 Theft
CVS Health RI Healthcare Provider 12914 06/26/2015 Theft


Final Thoughts

There is one glaring issue with these statistics, as compiled by The U.S. Department of Health and Human Services.  Where is the Federal Government?  Especially with the advent of the Affordable Care Act, a significant amount of personal health data is being handled by state and federal agencies – through health care exchange websites (indirectly), clearinghouses, or by the Veterans Administration (directly).  Yet, we are led to believe that there have been no (or relatively minor ) breaches of data handled by the public sector at the national level.  Is the lack of reporting by federal agencies deliberate? an oversight?  Or does the reporting database reflect a significant UNDERREPORTING of breach data – and even more so by Federal agencies (I suspect it does).  It’s one thing to deliver on excellent transparency through this breach reporting effort the HHS has given us.  It’s another to not include all the major health care data players.

I am looking forward to what 2016 brings in this world of secrets, and privacy, unleashed…..


The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed