Record Number of Major Health Data Breaches in 2021Analysis: Federal Tally Shows Breaches Climbing Annually, Hacks Dominating
In the midst of the global COVID-19 pandemic, the federal tally shows that a record number of major health data breaches were reported in the U.S. in 2021, and the overwhelming majority of them involved hacking/IT incidents.
As of Monday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows some 713 major health data breaches affecting more than 45.7 million individuals posted for 2021.
Those figures could continue to grow in the weeks to come as HHS' Office for Civil Rights officials review and confirm details of additional HIPAA breach reports submitted at the end of 2021 and post them to the website.
While the number of major heath data breaches reported to HHS in 2021 surpasses previous years, the number of health data breaches reported over at least the past five years have steadily grown annually.
The 45.7 million individuals affected in 2021 by major health data breaches, however, is not the record number affected in a year.
The largest number of people were affected by health data breaches in 2015, when 270 major HIPAA breaches affected a record 112.5 million individuals. But that included 78.8 million individuals affected by a single incident - a major cyberattack on health insurer Anthem.
That incident, which was detected in late 2014 but reported to HHS by Anthem in February 2015, is by far still the single largest reported health data breach to date.
Since 2009, the HHS OCR website shows some 4,444 major health data breaches affecting nearly 321 million individuals. Over the past several years, that includes:
- 663 breaches affecting more than 34 million individuals in 2020;
- 512 breaches affecting 42.3 million individuals in 2019;
- 369 breaches affecting 14.4 million individuals in 2018;
- 358 breaches affecting nearly 5.3 million individuals in 2017;
- 329 breaches affecting 16.7 million individuals in 2016;
- 270 breaches affecting 112.5 million individuals in 2015, including the record-breaking Anthem hacking incident.
The HHS website shows that 7.6% more major HIPAA breaches were reported in 2021 compared to 2020, and there were 34.4% more individuals affected by those incidents in 2021 compared to 2020.
2021 Breach Trends
Hacking/IT incidents were by far the most dominant type of health data breach posted to the HHS website in 2021, in a trend that has been developing over the past several years.
As of Monday morning, the HHS website shows 526 major HIPAA breaches reported as hacking/IT incidents affecting 43.1 million individuals reported in 2021. That means hacking/IT incidents were involved in 73% of all 2021 breaches posted to the HHS website so far, but those incidents were responsible for about 94% of individuals affected.
Some 147 "unauthorized access/disclosure" breaches affected more than 2.2 million individuals in 2021. That’s about 20% of total breaches and about 4.8% of those individuals affected in 2021.
Only 16 loss/theft breaches involving unencrypted computing devices - such as laptops and mobile storage gear - were posted to the HHS website in 2021. Those incidents, which were the major source of large health data breaches in years past, affected fewer than 100,000 individuals in 2021.
Business associates were reported as being involved in 251 breaches affecting 21.3 million individuals in 2021. That means vendors and other business associates handling protected health information were involved in about 35% of all major HIPAA breaches in 2021. Those business associate incidents affected about 46% of all individuals affected last year by major health data breaches.
10 Largest Health Data Breaches in 2021
|Breached Entity||Individuals Affected|
|Florida Healthy Kids Corp.||3.5 million|
|20/20 Eye Care Network||3.2 million|
|Forefront Dermatology||2.4 million|
|Eskenazi Health||1.5 million|
|The Kroger Co.||1.47 million|
|St. Joseph's/Candler Health System||1.4 million|
|University Medical Center Southern Nevada||1.3 million|
|American Anesthesiology||1.27 million|
|Practicefirst Medical Management Solutions||1.2 million|
2022 Trends So Far
As of Monday, the HHS OCR website showed five major breaches affecting 1.6 million individuals posted so far in 2022.
Each of those breaches was reported as a hacking/IT incident, as were the 10 largest breaches posted on the HHS site in 2021.
So far in 2022, the largest breach posted on the HHS site was reported on Jan. 2 by Fort Lauderdale, Florida-based Broward Health. That hacking incident, which occurred in October and involved data exfiltration, affected 1.3 million individuals.
Some experts do not expect the growing number of health data breaches being reported - and the increasing number of individuals affected - to subside anytime soon.
"Breaches will increase as businesses continue to automate more. Data is the new currency in the cyber world," says Tom Walsh, founder of privacy and security consultancy tw-Security.
But that is not just a healthcare sector problem, some experts note. "I assume the number of breaches across industries has risen. [This] goes along with the worldwide nature of cyber business and security and crime. And the pandemic exacerbates it all," says Kate Borten, president of privacy and security consultancy The Marblehead Group.
Hacking incidents in particular will continue to plague the healthcare sector, Walsh says. "Hackers have stepped up their efforts. With new tools available it’s even easier for someone with basic experience to launch a more sophisticated attack," he says.
Walsh says hackers used to have to be technically skilled in operating systems and software to successfully launch an attack, but now software-as-a-service tools and tools using artificial intelligence are making it easier for novice hackers.
At the same time, "the pandemic seems to have bred more scams, taking advantage of people working at home where they're connected 24/7," Borten says. She says working at home and combining business and personal activities throughout the day and night may weaken individuals' attention to good security practices.
Walsh says many organizations have become more diligent about addressing work-at-home risks.
"The home office environment may not be as secure as the work environment. However, it’s been my experience that, while in 2020 business hurriedly sent the majority of their workforce home, in 2021, efforts were made to later shore up the security defenses for those working from home."
In the meantime, the surge in ransomware attacks has created the need for covered entities and business associates to change their defense strategies and recovery procedures, he says.
"The kinds of breaches caused by ransomware seem to have shifted from an inconvenience of the availability of data - encrypted data held ransom - to the exfiltration of data with threats of releasing the data on the dark web if the ransom wasn’t paid," Walsh says, and adds that data exfiltration "requires a totally different response strategy."