Breach Barometer Report Reveals 2021 Had More Than 50 Million Healthcare Records Breached

Protenus has published its 2022 Breach Barometer Report which reveals that 2021 was a notably awful year for healthcare sector data breaches. There were over 50 million breached healthcare records in 2021.

The report counts healthcare data breach reports submitted to regulators, and data breaches reported via the media, cases not yet disclosed by the breached entity, and data breaches that involve healthcare information at non-HIPAA-regulated entities. Databreaches.net provided the data for the report.

Protenus started publishing yearly Breach Barometer reports in 2016. The number of healthcare data breaches and breached records continue to increase each year. In 2021, it was confirmed that about 50,406,838 people were impacted by healthcare data breaches, increasing by 24% from the prior year. The report included 905 incidents are, which increased by 19% from 2020.

The biggest healthcare data breach of 2021 impacted children’s health plan Florida Healthy Kids Corporation based in Tallahassee, FL. Vulnerabilities in its website were not resolved by its business associate starting 2013 and hackers exploited those vulnerabilities and obtained access to the sensitive information of 3,500,000 people who requested medical insurance from 2013 to 2020.

Hacking incidents went up for the 6th consecutive year. There were 678 breaches traced to hacking incidents involving ransomware, malware, phishing and email incidents that resulted in the exposure or theft of 43,782,811 individual records.

The number of insider incidents dropped but increased in 2020. In 2021, there were 111 insider incidents and 110 incidents in 2019. The incidents increased by 26% in 2020 likely due to the increase of pandemic-related insider curiosity or company detection of impropriety.

There were 32 breaches involving theft impacting about 110,6656 records and 11 incidents of lost or missing devices or documents that contain the records of about 30,922 people. 73 incidents are not classified because of a lack of data.

Healthcare providers are the worst impacted type of HIPAA-covered entity, however business associate data breaches increased by twice the level in 2019. The incidents were 75% hacking-related, 12% insider error, and 1% insider wrongdoing. There were 20.986,509 records breached in those incidents. Protenus states that the average number of breached records in business associate data breaches is greater than other breaches.

The discovery time of a data breach dropped by 30% starting 2020. The average time to discover a breach from when it occurred is now 132 days; nevertheless, it is taking a long time for companies to report data breaches compared to 2020. The average time to report a data breach in 2021 was 118 days, beyond the 60 days set by the HIPAA Breach Notification Rule. It was 85 days in 2020.

The demand for proactive patient privacy tracking is greater than ever. The threats today are a lot more distressing than before and can be through various sources like a random staff snooping or an advanced cybersecurity hacker that acquires access via an employee channel. If a breach destroys patient trust in a company, that’s very hard to recover from.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.