Blog | Protenus

Latest HHS Breach Data Underscores Importance of a Comprehensive Privacy Protection Strategy

We've examined 2020 HHS breach data for combined large and small incidents to gain insight on trends and provide recommendations for most effectively protecting patient privacy. Our most notable finding may come as a surprise.

HHS recently reported to Congress on healthcare’s 2020 patient data breach information for both large and small incidents (affecting more than 500 patient records vs. fewer than 500). Combined, the number of breaches rose 6% year over year, the largest annual increase since 2015, while associated monetary penalties skyrocketed from $7 million to $13 million dollars in the twelve-month period. 

The data from this report was combined with data previously aggregated from a Freedom of Information Act request submitted by Protenus to understand the overall trends that occurred during the onset of the Pandemic.  The combined dataset shows unauthorized access to patient records, mostly in the provider setting, accounted for an astounding 93 percent of all breaches in 2020. While external threats like hacking impacted the highest volume of patients, health systems have been inundated with investigations of unauthorized access that stem from their own insiders.

Download the case study on how Protenus helped one large integrated health system establish comprehensive privacy monitoring and drastically reduce investigation time.

HHS routinely shares publicly available data only for breaches that affect more than 500 patients.  This view is helpful to understand the most significant threats to patients.  Looking only at breaches that affect large patient volumes is not helpful for health systems, however, who are trying to understand the full spectrum of risk to their organization. Healthcare organizations are responsible for protecting patient privacy from any and all sized breaches. It’s key to understand the entire threat spectrum from the small number of high-impact events caused by incidents like hacking to the vast number of lower-impact but alarmingly frequent incidents most commonly attributed to insider unauthorized access. To best allocate resources already stretched thin, healthcare organizations must identify where their risks live — for that, they require the full story.

Here, we’ll examine the combined HHS breach data with the goal of providing insight and recommendations for mitigating risk most effectively

Essential takeaways

For the decade HHS has collected this data, nearly 275 million individuals were affected by 536,164 reported breaches. No fewer than 60,000 breaches were reported in each of the last four years of data.


The impact of breaches remains significant and has increased rapidly in recent years. From 2017 to 2018, the number of patients affected by breaches increased 107 percent to 12.5 million. The number of patients affected grew another 212 percent from 2018 to 2019, and has remained steady at around 38 million individuals in each of the last two years.

As mentioned above, when looking at the combined data, unauthorized access was the largest cause of breaches at 93 percent. It’s interesting to note that hacking caused less than 2 percent of breaches in 2020’s combined data.

Breaches continue to be a problem for Health Care Providers as the reported setting for 90 percent of all combined breaches in 2020. The data also shows how many individuals were affected in each setting, and there’s been a huge jump for Health Care Providers. Between 2011 and 2018, the figures averaged 5 million individuals affected and never passed 10 million. In 2019 and 2020, the number spiked to 20 million individuals affected by breaches stemming from Health Care Providers.


Privacy and data breaches are nothing new in healthcare and will continue to be a problem for the foreseeable future, and it’s impossible for healthcare organizations’ compliance teams to monitor 100% of the millions of system accesses each day with human resources alone. Human intelligence plus automation technology is the only way to create the strongest privacy protection.

The smaller number of high-impact breaches often gets the lion’s share of attention and resources, but healthcare organizations must understand the risks from the exceedingly large number of lower-impact events that can eventually lead to a huge risk. A proactive approach considers the full threat spectrum for the best chance at preventing future breaches and instituting a culture of compliance in the organization.

As part of a comprehensive privacy protection plan which includes audit controls and authentication, workflow automation greatly reduces financial, reputational, and clinical risk to organizations and most importantly, the patients they serve. Training is another key piece in a proactive plan to prevent breaches, specifically on-the-spot education which was found to be 95 percent effective in reducing hospital employees’ unauthorized access to protected health information (PHI). 

If you’d like to learn best practices on how to greatly mitigate your risk by transitioning to a proactive, preventive privacy strategy, reach out to our team for more information today. You can make a difference in supporting your organization’s strategic goals that support patient safety, fiscal responsibility, and community reputation.

For insight into how complete, proactive monitoring was implemented at a large integrated health system, download the case study.

Download Case Study

Subscribe by email