Gartner Blog Network

This is my 6th year of analyzing healthcare breaches reported to HHS.  This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010,   2011, 2012, 2013, and 2014.

But, OMG, it’s been quite a ride, and very eye opening.

By 2012 I made the prognostication that by 2024 everyone in the US would have their healthcare data exposed – “in the wild”.  Well, folks, I was wrong.  Four years in and we are well beyond half way to that dubious milestone, with 8 years to go. That event may happen by 2020.

But the data does not account for duplicates – the same person getting breached multiple times.

Of course, having the data breached is a far cry from having it misused. One could argue that breaches are so common, I am merely counting cars on the highway, and expecting deliberate accidents from that.  And maybe that analogy holds.  We may  suffer the consequences of misuse of our healthcare data someday in our lives.  We are well down that road with financial data (which has often been closely tied to healthcare breaches), and there are few people alive that haven’t experienced some level of identity theft or fraud.

This Chart tells the story of 2015:

The Hall of Shame for 2015:

These are the companies that topped the list for number of people affected by a breach:

This year I am including anyone whose single annual breach count exceeded the total of all breaches  for everyone last year (4.5 Million)….

States with the highest number of breaches in 2015

These are, of course, affected by where the corporate headquarters are located for major national carriers.  Surprisingly, Connecticut (arguably the “Insurance Capital of the World” with Cigna and Aetna) didn’t even come close to making the list.  I’ll leave it to the reader to speculate why.

Maybe it’s time for regulations and inspections that are strengthened at the state level?

Type of Breaches

In 2010, hacking was less than 10% of the total breaches, theft and losses were over 50% combined.  We have come a long way, baby, with the combined total of unauthorized access and hacking now accounting for over 60% of breaches.  The y-axis is total number of reports.

Recidivism 

Two companies stuck out like a sore thumb, I am sorry to say.  OTOH, it may be that these organizations are just much better, and more diligent at reporting breaches.  They have  consistently had breaches in multiple years.  It’s interesting that they are both in the retail pharmacy business, and none of the breaches were significantly attributable to hacking – mostly theft  (hmmm…that distinction could be interesting. A blog post for another time). In all fairness, the CVS numbers reflect the acquisition of Caremark, which seemed to have their string of breaches dragged along into the purchase.

Final Thoughts

There is one glaring issue with these statistics, as compiled by The U.S. Department of Health and Human Services.  Where is the Federal Government?  Especially with the advent of the Affordable Care Act, a significant amount of personal health data is being handled by state and federal agencies – through health care exchange websites (indirectly), clearinghouses, or by the Veterans Administration (directly).  Yet, we are led to believe that there have been no (or relatively minor ) breaches of data handled by the public sector at the national level.  Is the lack of reporting by federal agencies deliberate? an oversight?  Or does the reporting database reflect a significant UNDERREPORTING of breach data – and even more so by Federal agencies (I suspect it does).  It’s one thing to deliver on excellent transparency through this breach reporting effort the HHS has given us.  It’s another to not include all the major health care data players.

I am looking forward to what 2016 brings in this world of secrets, and privacy, unleashed…..

Category: healthcare  it-governance  managment  security  technology-and-emerging-trends