Three 2015 Health Data Breach Trends

by Patrick Quirk

Individuals Impacted by Health Data Breaches by YearWhat a year for data breaches in the healthcare industry! The number of individuals affected by a health data breach between 2009 and 2014 was about 40 million (per OCR's Wall of Shame). We still have a full month to go in 2015, but OCR has already received reports of breaches impacting over 113 million individuals during 2015.

The largest of those breaches was Anthem at 78.7M, but even if we exclude that outlier from the equation, we still see a 3x increase in individuals affected compared to 2014. In response to these staggering numbers, we partnered with BHS Connect to develop a webinar to help organizations in the healthcare industry get a handle on what this means. This article addresses some highlights from 2015 trends, but the webinar goes into what this means for you and your organization in terms of:

1. Three Trends for 2015 Health Data Breaches
2. Expectations for 2016
3. Best Practices for 2016

If you are interested in participating in one of the upcoming webinars, please register here. Now...on to the trends we've identified for health data breaches from 2015.

Trend #1: Individuals Affected Skyrocketing
Our first trend is the one which inspired this series. The quadrupling of the number of individuals affected by a health data breach in less than a year compared to the combined six prior years. This jump has been fueled by some very large breaches:

Organization # Individuals Affected
CareFirst BlueCross BlueShield 1.1M
Medical Informatics Engineering 3.9M
UCLA Health 4.5M
Excellus Health Plan 10M
Premera Blue Cross 11M
Anthem 78.7M

Keep in mind, that these numbers will grow as OCR receives more reports throughout December.

Health Data Breaches Reported by YearTrend #2: Rate of Increase for Reported Breaches Slowing
Given the significant increase in the number of individuals affected by breaches in 2015, you may be surprised to see that the raw number of breaches reported to the OCR is NOT keeping pace with the number of individuals impacted. In fact, the rate of increase for reported breaches may have reached a new plateau. (Note: the 2015 number is a projection based upon YTD)

These two interesting trends with dissimilar trajectories tells us that the average number of patients affected per breach incident is jumping. In fact, the number of breach incidents impacting half a million or more individuals has doubled each of the past three years. That number is standing at 8 for 2015 compared to 4 during 2014. These massive breaches account for over 95% of the individuals affected, but represent less than 5% of the breach incidents.

Trend #3: Impact Increasing, but Organizations Adopting Best Practices to Reduce Costs
The Ponemon Institute reported in May 2015 that the average cost of a health data breach is $363 per personally identifiable record. This is up only 1% over the prior year and indicates that while some factors are driving costs up, healthcare organizations are finding ways to keep the costs of a breach in check.

Two interesting factors which the Ponemon Institute identified as continuing to push costs higher are:

1.) Increase in percentage of attacks criminal in nature
The percentage of breaches which are crime-based is on the rise and now accounts for nearly half of all breaches. This is significant because the average cost of a crime-based breach is higher than other breaches, mostly due to a more involved legal process, including more detailed forensic efforts.

2.) Consequences of lost revenue increases.
The Ponemon Institute also found that consumers are actually paying attention to data breaches and changing their provider decisions as a result. It was found that patient/client churn is higher for organizations after a data breach. This aligns with consumerization of healthcare concepts and has the potential to have the biggest impact on costs over the long term.

Now, for some good news! The Ponemon Institute also identified factors which are helping organizations drive the costs of a data breach lower. For example, organizations which use encryption extensively lower their cost of a breach by $12 per personally identifiable record, on average. In total, the Ponemon Institue identified factors capable of reducing the average cost of a breach by about 25%.

Up Next:
If you are interested in participating in one of the upcoming webinars to learn our predictions for 2016 and the best practices designed to counteract them, please join us by registering here.