This is my 7th year of analyzing healthcare breaches reported to HHS. This has become a tradition, and I don’t profess it to be an exacting science – some rather simple observations and straightforward accounting. Prior years analysis are here for 2010, 2011, 2012, 2013, and 2014, 2016.
As I suspected, 2015 will go down as an unprecedented year. 2016 returns us to the “normal” growth rate we experienced from 2009 to 2014.
Yet, we continue to be on track for my prognostication of every individual in the United States will have their healthcare breached by 2024 – and possibly well before that. Of course, that doesn’t account for duplicates – the same person getting breached multiple times.
This chart tells the story of 2016 (click for a larger image):
The Hall of Shame for 2016
These are the companies that topped the list for number of people affected by a breach…
| Banner Health | AZ | Healthcare Provider | 3,620,000 |
| Newkirk Products, Inc. | NY | Business Associate | 3,466,120 |
| 21st Century Oncology | FL | Healthcare Provider | 2,213,597 |
…And states with the highest number of breaches in 2016…
| State | Number of Breaches Reported | Number of Individuals Affected |
| CA | 40 | 1,438,714 |
| FL | 28 | 2,872,912 |
| NY | 16 | 3,589,254 |
One state deserves special mention; they achieved the highest count of individuals breached, while at a lower count of total breaches:
Arizona at 9 total breaches, affecting a whopping 4,524,278 individuals.
Type of Breach
While other types of breaches stayed relatively the same, hacking and unauthorized access breaches showed significant increases, accounting for 74% of the total (by incident):
Repeat Breaches
I usually report on organizations that have multiple breaches in a single year. Who didn’t learn their lesson? Well, suffice it to say, the single year numbers are almost nonexistent, with the exception of the County of Los Angeles, which incurred two incidents for a total of 749,760 people affected.
Final Thoughts
I suspect these numbers don’t tell the full story. We may be experiencing gross underreporting, since almost all of the reports are on the honor system. I don’t believe these reports take into account ransomware attacks, where data is now in the hands of nefarious attackers, but quietly set aside (or even publicly released through the dark web).
Will 2017 be another major outbreak of breaches (like 2015) or continue the upward growth from prior years, like 2016 did?? Time will tell…
