New View of HHS Breach Data Spotlights Need for Complete Privacy Protection

Though HIPAA-covered entities have been required for more than a decade to report patient data breaches to HHS, it was only recently (following a Freedom of Information Act request by Protenus) that the agency publicized statistics on breaches affecting fewer than 500 individuals.

The most notable finding? When looking at larger and smaller breaches combined (larger being those that affected more than 500 patient records, and smaller being those that affected less than 500), unauthorized access accounted for the vast majority — 92 percent — of all breaches in 2019. This is a much different picture than what we get by looking exclusively at larger breaches for the year; in that pared-down dataset, unauthorized access was linked to just 31 percent of breaches.

As healthcare organizations have finite resources to devote to monitoring and investigating potential privacy violations, it is essential that they have a precise understanding of where risks lie. By examining differences in the nature and frequency of larger and smaller breaches reported to HHS, we hope to illuminate insights that help healthcare organizations more effectively allocate their limited compliance and privacy monitoring resources.

Download the case study on how Protenus helped one large integrated health system establish comprehensive privacy monitoring and drastically reduce investigation time.

The full dataset, which is provided to Congress annually in HHS' annual breach report but historically not made available to the public, shows breach and impact totals not just for 2019, but for periods dating all the way back to September 2009.

For each reporting year excluding 2009 and 2010, the number of confirmed breaches was broken down by:

- Setting (healthcare providers, health plans, business associate, clearinghouse, or unknown)
- Cause (hacking, unauthorized access, theft, loss, improper disposal, and other/unknown)
- and Physical location (e-mail, network server, paper, desktop computer, EMR, laptop, or other portable)

We examined the numbers for patterns, and as expected, the larger breaches — those that affected more than 500 people each — account for the vast majority of patients affected overall. This is, of course, the underlying reason that so much focus is placed on the larger breaches. However, based on our knowledge that smaller breaches can be more targeted and personal, and therefore especially damaging in unique ways, we believe it's important that HHS has disclosed this piece of the puzzle.

After all, the healthcare organizations we partner with are responsible for protecting patient privacy on all levels. Holistic protection of patient data requires expanding their focus beyond the few incidents that impact large volumes of records. The overwhelming majority of small breaches resulting from unauthorized access must also be addressed. Whether an incident affects one patient or hundreds, it can be thwarted through complete, proactive monitoring, empowered investigations, and on-the-spot policy education.

Essential takeaways

In the entire time HHS has collected this data, nearly 2.6 million people were affected by smaller breaches, of which there were 466,000 reported. No fewer than 60,000 smaller breaches were reported in each of the last three years of data. 

The total number of larger breaches reported over the decade was significantly lower than the number of smaller breaches, at just under 3,000, but those large breaches affected a staggering 234 million individuals in total. An alarming indication that the impact of breaches is worsening, large breaches compromised the data of 38.7 million in 2019, an increase of over 200 percent from 2018. 

Overall, HHS' decision to report breaches that only affect more than 500 individuals makes sense — it provides a generally accurate sense of how many individuals are affected, as the number impacted by smaller breaches amounts to just a drop in the bucket. That being said, close examination of the smaller breaches does provide important insight into real risk areas for organizations. When it comes to allocating resources to overall risk mitigation efforts, it is critical for organizations to have visibility into the frequency and nature of small breaches.

Looking only at breaches that affected more than 500 records in 2019, the most recent year for which data is available, hacking incidents were responsible for 57 percent of reports, whereas unauthorized access was the cause behind about 30 percent of reports. But hacking was far from the prevailing cause of breaches in the smaller breaches dataset, representing a mere 1 percent. As mentioned above, when looking at the combined data, it was unauthorized access that accounted for the majority of incidents — 92 percent — in 2019.

The smaller breaches in 2019 also tell us that these are a common challenge for healthcare providers. Healthcare providers were the reported setting for 90 percent of all breaches combined, versus 80 percent of larger breaches alone. 

Lastly, the data revealed that with smaller breaches factored in, 67 percent of all breaches in 2019 were associated with paper disclosure, whereas only 11 percent of the larger breach reports involved a paper incident. Thus, despite being tied to a smaller number of individuals, paper is an alarmingly breach-prone approach to handling patient data. 

The full picture

With new transparency from HHS, we can see the full scope of the breach problem that has plagued healthcare organizations over the past decade and will continue to wreak havoc in the years to come. 

The incidents that affect more than 500 individuals in one fell swoop tend to draw the most attention and make for the splashiest headlines, but they're only part of the story. Smaller breaches are also occurring in the background, and they're astoundingly frequent. Health systems are tasked with protecting against both, resulting in an immense workload for compliance teams. 

A responsibility of this magnitude cannot be fulfilled with human intelligence alone. As they inevitably continue causing headaches for healthcare providers and demonstrating the ubiquity of unauthorized access, newly disclosed smaller breaches underscore the need for complete, intelligent monitoring solutions. 

For insight into how complete, proactive monitoring was implemented at a large integrated health system, download the case study.