Source

U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. February 1, 2016.

Citation

Office of the National Coordinator for Health Information Technology. 'Breaches of Unsecured Protected Health Information,' Health IT Quick-Stat #53. https://www.healthit.gov/data/quickstats/breaches-unsecured-protected-health-information. February 2016.

Based upon data collected by the HHS Office for Civil Rights, as of February 1, 2016, protected health information breaches affected over 113 million individuals in 2015. In 2015, hacking incidents comprised nearly 99% of all individuals affected by breaches, and the number of reported hacking incidents, 57, comprised over 20% of all reported breaches. From 2011 to 2014, 97 hacking incidents affected less than 4 million individuals - less than 10% of all reported breaches and affected individuals during this time.

However, despite the rise in breaches related to hacking incidents, reported breaches related to other incidents and the number of individuals affected by these breaches are down in 2015. Through February 1, 2016, theft, loss, improper disposal, and unauthorized access or disclosure of protected health information comprise 208 of all reported breaches (N=265), down from 216 (N=285) in 2014 and 211 (N=262) in 2013. These four types of breach incidents affected 1.4 million individuals in 2015, compared to 10.7 million in 2014 and 6.7 million in 2013.

In 2015, four of the fifty-one hacking incidents involved an electronic medical record (EMR). One hacking incident affected 3.9 million individuals' health information - nearly all the individuals affected by an EMR hacking incident in 2015.

Note: ^a non-hacking/IT incident includes all other types of reported health information breaches: theft, loss, improper disposal, unauthorized access/disclosure, other, or unknown (not reported or data missing). See notes below for types of IT and devices involved in these incidents.

Number of Individuals Affected by a Protected Health Information Breach: 2010-2015
Count of affected individuals by the type and source of information breach

2010 2011 2012 2013 2014 2015
Note: Each count above is the total number of individuals affected by a breach of the specific information source and the breach type. Individual reports of a breach may involve one or more information sources, i.e. laptop, e-mail, etc, and one or more breach types, i.e. theft, loss, etc. In those cases, there may be double-counting of the number of affected individuals or reported breaches in a specific year.
Source: U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals. Febrauary 1, 2016.
Type of Information Breach
Hacking/IT incident 568,358 297,269 900,684 236,897 1,786,630 111,812,172
Improper disposal 34,587 63,948 21,329 526,538 93,612 82,421
Loss 924,909 6,019,578 95,815 142,411 243,376 47,214
Theft 3,691,460 4,720,129 927,909 5,397,989 7,058,678 740,598
Unauthorized access/disclosure 130,106 118,444 338,767 383,759 3,019,284 572,919
Other breach 158,593 13,981 503,900 254,305 413,878 --
Source of Information Breach
Desktop computer 246,643 2,042,186 81,385 4,348,129 2,378,304 316,226
Electronic medical record 803,600 1,720,064 136,751 40,196 121,845 3,948,985
E-mail 8,050 3,111 294,308 58,847 519,625 583,977
Laptop 1,507,914 405,873 575,529 1,023,181 1,273,612 391,830
Network server 665,123 613,963 921,335 320,127 7,253,441 107,252,466
Paper/Film 204,966 103,711 198,409 575,076 590,352 229,743
Portable Electronic Device 29,714 1,516 124,978 154,877 141,110 209,558
Other source 2,058,166 8,259,368 455,709 422,381 343,537 322,539
Number of Reported Protected Health Information Breaches: 2010-2015
Count of reported breaches by the type and source of information breach

2010 2011 2012 2013 2014 2015
Note: Each count above is the total number of reported breach incidents of the specific information source and the breach type. Individual reports of a breach may involve one or more information sources, i.e. laptop, e-mail, etc, and one or more breach types, i.e. theft, loss, etc. In those cases, there may be double-counting of the number of reported incidents or reported breaches in a specific year.
Source: U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals. Febrauary 1, 2016.
Type of Information Breach
Hacking/IT incident 10 16 16 23 32 57
Improper disposal 10 7 7 13 11 6
Loss 18 17 19 24 28 22
Theft 127 118 117 124 113 80
Unauthorized access/disclosure 7 26 25 63 72 100
Other breach 22 2 18 24 28 0
Source of Information Breach
Desktop computer 28 35 23 39 29 29
Electronic medical record 3 6 6 14 14 16
E-mail 5 2 10 20 36 37
Laptop 50 38 51 67 42 38
Network server 17 16 20 30 46 41
Paper/Film 46 45 47 53 62 67
Portable Electronic Device 6 2 19 20 22 15
Other source 42 50 26 24 34 22
  1. The HIPAA Breach Notification Rule, http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html, requires health care providers, health plans, and other HIPAA covered entities to notify affected individuals when their health information is breached, as well as the HHS Secretary and the media where a breach affects more than 500 individuals. As required by section 13402(e)(4) of the HITECH Act, the Secretary of HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
  2. A breach may involve any of the following types of incidents: theft, loss, hacking/IT incident, improper disposal, unauthorized access/disclosure, other, or unknown (not reported or data missing).
  3. Breach incidents may involve any of the following information, information technology, or devices: paper/films, network server, laptop, desktop computer, e-mail, electronic medical record, other portable electronic device, or other.