Blog post

2016 Healthcare Security – The Breach Goes on

By Jack Santos | February 09, 2017 | 2 Comments

This is my 7th year of analyzing healthcare breaches reported to HHS.  This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010,   20112012, 2013, and 2014, 2016.

As I suspected, 2015 will go down as an unprecedented year.  2016 returns us to the “normal” growth rate we experienced from 2009 to 2014.

Yet, we continue to be on track for my prognostication of every individual in the United States will have their healthcare breached by 2024 – and possibly well before that.   Of course, that doesn’t account for  duplicates – the same person getting breached multiple times.

This chart tells the story of 2016 (click for a larger image):

2016-hc-1

 

The Hall of Shame for 2016

These are the companies that topped the list for number of people affected by a breach…

Banner Health AZ Healthcare Provider 3,620,000
Newkirk Products, Inc. NY Business Associate 3,466,120
21st Century Oncology FL Healthcare Provider 2,213,597

 

And states with the highest number of breaches in 2016…

State Number of Breaches Reported Number of Individuals Affected
CA 40           1,438,714
FL 28           2,872,912
NY 16           3,589,254

One state deserves special mention; they achieved the highest count of individuals breached, while at a lower count of total breaches:
Arizona at 9 total breaches, affecting a whopping  4,524,278 individuals.

Type of Breach

While other types of breaches stayed relatively the same,  hacking and unauthorized access breaches showed significant increases, accounting for 74% of the total (by incident):

hc-3

hc-pic-2

Repeat Breaches

I usually report on organizations that have multiple breaches in a single year. Who didn’t learn their lesson?  Well, suffice it to say, the single year numbers are almost nonexistent, with the exception of the County of Los Angeles, which incurred two incidents for a total of 749,760 people affected.

Final Thoughts

I suspect these numbers don’t tell the full story.  We may be experiencing gross underreporting, since almost all of the reports are on the honor system.  I don’t believe these reports take into account ransomware attacks, where data is now in the hands of nefarious attackers, but quietly set aside (or even publicly released through the dark web).

Will 2017 be another major outbreak of breaches (like 2015) or continue the upward growth from prior years, like 2016 did??  Time will tell…

Comments are closed

2 Comments

  • Edward says:

    Excellent blog. This blog has a lot of information regarding my needs. I’ll definitely put it to good use.

  • Policysutra says:

    The breaches are surely under-reported since most of the times a coverup is mandated. Still the number is staggering and it should be something that can’t be overlooked in long term.