The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Data Breach Statistics

The HIPAA Journal has compiled healthcare data breach statistics from October 2009, when the Department of Health and Human Services’ Office for Civil Rights first started publishing summaries of healthcare data breaches on its website. The healthcare data breach statistics below only include data breaches of 500 or more records that have been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR), as details of smaller breaches are not made public by OCR.

The breaches include closed cases and breaches that are still being investigated by OCR for potential HIPAA violations. 5,150 data breaches were reported to OCR between October 21, 2009, and December 31, 2022, 882 of which were showing as still under investigation at the end of 2022.  The report will be updated monthly in 2023 to include the latest figures on data breaches and HIPAA enforcement actions. The data on which these healthcare data breach statistics have been calculated were obtained from the HHS’ Office for Civil Rights on March 20, 2023.

Our healthcare data breach statistics clearly show there has been an upward trend in data breaches over the past 14 years, with 2021 seeing more data breaches reported than any other year since records first started being published by OCR. There was a slight decrease in reported data breaches in 2022 – only the second time that there has been a year-over-year decrease in reported healthcare data breaches, although it is naturally too early to tell if this is a blip or the start of a trend that will see healthcare data breaches decline. Bookmark this page and check back regularly to get the latest healthcare data breach statistics and healthcare data breach trends.

There have been notable changes over the years in the main causes of breaches. The loss/theft of healthcare records and electronic protected health information dominated the breach reports between 2009 and 2015. The move to digital record keeping, more accurate tracking of electronic devices, and more widespread adoption of data encryption have been key in reducing these data breaches.  Our healthcare data breach statistics show the main causes of healthcare data breaches are now hacking/IT incidents, with unauthorized access/disclosure incidents also commonplace. Hacking incidents increased significantly since 2015, as has the scale of data breaches, as shown in the charts below showing average and median data breach sizes. One trend that has continued in 2022 is an increase in the number of cyberattacks and data breaches at business associates, which suffered more data breaches in 2022 than any other type of HIPAA-regulated entity.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Healthcare Data Breaches by Year

Between 2009 and 2022, 5,150 healthcare data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 382,262,109 healthcare records. That equates to more than 1.2x the population of the United States. In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. Fast forward 5 years and the rate has more than doubled. In 2022, an average of 1.94 healthcare data breaches of 500 or more records were reported each day.

Healthcare Records Exposed by Year

There has been a general upward trend in the number of records exposed each year, with a massive increase in 2015. 2015 was the worst year in history for breached healthcare records with more than 112 million records exposed or impermissibly disclosed. 2015 was particularly bad due to three massive data breaches at health plans: Anthem Inc, Premera Blue Cross, and Excellus. The Anthem breach affected 78.8 million of its members, with the Premera Blue Cross and Excellus data breaches both affecting around 10 million+ individuals.

Average/Median Healthcare Data Breach Size by Year

Largest Healthcare Data Breaches (2009 – March 2023)

Rank Name of Covered Entity Year Covered Entity Type Individuals Affected Type of Breach
1 Anthem Inc. 2015 Health Plan 78,800,000 Hacking/IT Incident
2 American Medical Collection Agency 2019 Business Associate 26,059,725 Hacking/IT Incident
3 Premera Blue Cross 2015 Health Plan 11,000,000 Hacking/IT Incident
4 Excellus Health Plan, Inc. 2015 Health Plan 10,000,000 Hacking/IT Incident
5 Science Applications International Corporation (SA 2011 Business Associate 4,900,000 Loss
6 University of California, Los Angeles Health 2015 Healthcare Provider 4,500,000 Hacking/IT Incident
7 Community Health Systems Professional Services Corporations 2014 Business Associate 4,500,000 Hacking/IT Incident
8 Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group 2013 Healthcare Provider 4,029,530 Theft
9 OneTouchPoint 2022 Business Associate 4,112,892 Ransomware attack
10 Medical Informatics Engineering 2015 Business Associate 3,900,000 Hacking/IT Incident
11 Eye Care Leaders 2022 Business Associate 3,649,470 Hacking/IT Incident
12 Banner Health 2016 Healthcare Provider 3,620,000 Hacking/IT Incident
13 Florida Healthy Kids Corporation 2021 Health Plan 3,500,000 Hacking/IT Incident
14 Trinity Health 2020 Business Associate 3,320,726 Hacking/IT Incident
15 Newkirk Products, Inc. 2016 Business Associate 3,466,120 Hacking/IT Incident
16 Regal Medical Group (including Lakeside Medical Organization, A Medical Group, ADOC Acquisition Co., A Medical Group Inc. & Greater Covina Medical Group Inc) 2023 Healthcare Provider 3,300,638 Ransomware attack
17 20/20 Eye Care Network, Inc 2021 Business Associate 3,253,822 Hacking/IT Incident
18 Cerebral, Inc. 2023 Business Associate 3,179,835 Impermissible Disclosure (website tracking code)
19 Advocate Aurora Health 2022 Healthcare Provider 3,000,000 Impermissible Disclosure (website tracking code)
20 Dominion Dental Services, Inc., Dominion National Insurance Company, and Dominion Dental Services USA, Inc. 2019 Health Plan 2,964,778 Hacking/IT Incident
21 AccuDoc Solutions, Inc. 2018 Business Associate 2,652,537 Hacking/IT Incident
22 Forefront Dermatology, S.C. 2021 Healthcare Provider 2,413,553 Hacking/IT Incident
23 Connexin Software 2022 Business Associate 2,216,365 Hacking/IT Incident
24 21st Century Oncology 2016 Healthcare Provider 2,213,597 Hacking/IT Incident
25 Shields Healthcare Group 2022 Business Associate 2,000,000 Hacking/IT Incident
26 Xerox State Healthcare, LLC 2014 Business Associate 2,000,000 Unauthorized Access/Disclosure
27 Professional Finance Company 2022 Business Associate 1,918,941 Ransomware attack
28 IBM 2011 Business Associate 1,900,000 Unknown
29 Dental Care Alliance, LLC 2021 Business Associate 1,723,375 Hacking/IT Incident
30 GRM Information Management Services 2011 Business Associate 1,700,000 Theft
31 NEC Networks, LLC d/b/a CaptureRx 2021 Business Associate 1,656,569 Hacking/IT Incident
32 Baptist Medical Center and Resolute Health Hospital 2022 Healthcare Provider 1,608,549 Hacking/IT Incident
33 Inmediata Health Group, Corp. 2019 Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
34 Eskenazi Health 2021 Healthcare Provider 1,515,918 Hacking/IT Incident
35 Community Health Network 2022 Healthcare Provider 1,500,000 Impermissible Disclosure (website tracking code)

These figures are calculated based on the reporting entity. When a data breach occurs at a business associate, it may be reported by the business associate, or by each affected HIPAA-covered entity. For instance, in 2022, the electronic health record provider, Eye Care Leaders, suffered a ransomware attack. Each covered entity reported the breach separately. The HIPAA Journal has tracked the breach reports and at least 39 HIPAA-covered entities are known to have been affected, and the records of more than 3.09 million individuals were exposed. Similarly, a major data breach occurred at American Medical Collection Agency in 2019 that was reported by each covered entity, rather than AMCA. That breach affected more than 25 million individuals. Certain business associate data breaches will therefore not be accurately reflected in the above table.

Healthcare Hacking Incidents by Year

Our healthcare data breach statistics show hacking is now the leading cause of healthcare data breaches, although it should be noted that healthcare organizations are now much better at detecting hacking incidents. The low number of hacking/IT incidents in the earlier years could be partially due to the failure to detect hacking incidents and malware infections. Many of the hacking incidents between 2014-2018 occurred many months – and in some cases years – before they were detected.

Unauthorized Access/Disclosures by Year

As with hacking, healthcare organizations are getting better at detecting insider breaches and reporting those breaches to the Office for Civil Rights. These incidents consist of errors by employees, negligence, snooping on medical records, and data theft by malicious insiders. Better HIPAA and security awareness training along with the use of technologies for monitoring access to medical records are helping to reduce these data breaches.

Loss/Theft of PHI and Unencrypted ePHI by Year

Our healthcare data breach statistics show that HIPAA-covered entities and business associates have gotten significantly better at protecting healthcare records with administrative, physical, and technical controls such as encryption, although unencrypted laptops and other electronic devices are still being left unsecured in vehicles and locations accessible by the public. Many of these theft/loss incidents involve paper records, which can equally result in the exposure of large amounts of patient information.

Improper Disposal of PHI/ePHI by Year

HIPAA requires healthcare data, whether in physical or electronic form, to be permanently destroyed when no longer required. The improper disposal of PHI is a relatively infrequent breach cause and typically involves paper records that have not been sent for shredding or have been abandoned.

Healthcare Data Breaches by HIPAA-Regulated Entity Type

The table below shows the raw data from OCR of the data breaches by the entity reporting the breaches; however, this data does not tell the whole story, as data breaches occurring at business associates may be reported by the business associate or each affected covered entity. Many online reports that provide healthcare data breach statistics fail to accurately reflect where many data breaches are occurring.

Healthcare Data Breaches: Reporting Entity (2009 – Mar 2023)

Year Healthcare Provider Health Plan Business Associate Healthcare Clearinghouse Total
2009 14 1 3 0 18
2010 134 21 44 0 199
2011 135 19 45 1 200
2012 154 23 40 1 218
2013 191 20 64 2 277
2014 200 40 74 0 314
2015 195 61 14 0 270
2016 256 51 22 0 329
2017 285 52 21 0 358
2018 274 53 42 0 369
2019 397 59 54 2 512
2020 515 72 74 2 663
2021 516 104 93 2 715
2022 493 87 127 0 707
2023 95 16 35 0 146
Total 3,854 679 752 10 5,295

The graphs below paint a more accurate picture of where healthcare data breaches are occurring, rather than the entities that have reported the data breaches, and clearly show the extent to which business associate data breaches have increased in recent years. In 2022, more data breaches occurred at business associates than at healthcare providers, and business associate data breaches affected the most individuals.  These data highlight the importance of securing the supply chain, conducting due diligence on vendors before their products and services are used, and monitoring existing vendors for HIPAA Security Rule compliance and cybersecurity. In 2023, one of the biggest challenges in healthcare cybersecurity is securing the supply chain.

OCR Settlements and Fines for HIPAA Violations

The penalties for HIPAA violations can be severe. Multi-million-dollar fines are possible when violations have been allowed to persist for several years or when there is systemic non-compliance with the HIPAA Rules, making HIPAA compliance financially as well as ethically important.

The penalty structure for HIPAA violations is detailed in the infographic below. These figures are adjusted annually for inflation.

Penalties for HIPAA violations

OCR Settlements and Fines Over the Years

Further information on HIPAA fines and settlements can be viewed on our HIPAA violation fines page, which details all HIPAA violation fines imposed by OCR since 2008. As the graph below shows, HIPAA enforcement activity has steadily increased over the past 14 years, with 2022 being a record year, with 222 penalties imposed. The major rise in HIPAA violation penalties in 2020 was largely due to a new enforcement initiative by OCR targeting non-compliance with the HIPAA Right of Access – the right of patients to access and obtain a copy of their healthcare data. 11 settlements were reached with healthcare providers in 2020 to resolve cases where patients were not given timely access to their medical records, and in 2021 all but two of the 14 penalties were for HIPAA Right of Access violations. As of March 2023, 43 penalties have been imposed to resolve HIPAA Right of Access violations.

How Much Has OCR Fined HIPAA Covered Entities and Business Associates?

In addition to an increase in fines and settlements, penalty amounts increased considerably between 2015 and 2018. In 2018, the largest ever financial penalty for HIPAA violations was paid by Anthem Inc to resolve potential violations of the HIPAA Security Rule that were discovered by OCR during the investigation of its 78.8 million record data breach in 2015. Anthem paid $16 million to settle the case. In 2020, Premera Blue Cross settled potential violations of the HIPAA Rules and paid a $6,850,000 penalty to resolve its 2015 data breach of the PHI of almost 10.5 million individuals, and in 2021 a $5,000,000 settlement was agreed upon with Excellus Health Plan to resolve HIPAA violations identified that contributed to its 2015 data breach of the PHI of almost 9.4 million individuals.

While large financial penalties are still imposed to resolve HIPAA violations, the trend has been for smaller penalties to be issued in recent years, with those penalties imposed on healthcare organizations of all sizes. It is no longer the case where smaller healthcare organizations escape HIPAA fines. In 2022, 55% of the financial penalties imposed by OCR were on small medical practices.

It was expected that 2018 would see fewer fines for HIPAA-covered entities than in the past two years due to HHS budget cuts, but that did not prove not to be the case. 2018 was a record-breaking year for HIPAA fines and settlements, beating the previous record of $23,505,300 set in 2016 by 22%. OCR received payments totaling $28,683,400 in 2018 from HIPAA-covered entities and business associates who had violated HIPAA Rules and 2020 saw a major increase in enforcement activity with 19 settlements. The number of financial penalties was reduced in 2021; however, 2022 has seen penalties increase, with 22 penalties announced by OCR, more than in any other year to date.

OCR Penalties for HIPAA Violations (2008 – Apr 2023)

Year Covered Entity Amount Penalty Type
2023 Banner Health $1,250,000 Settlement
2023 Life Hope Labs, LLC $16,500 Settlement
2022 Health Specialists of Central Florida Inc $20,000 Settlement
2022 New Vision Dental $23,000 Settlement
2022 Great Expressions Dental Center of Georgia, P.C. $80,000 Settlement
2022 Family Dental Care, P.C. $30,000 Settlement
2022 B. Steven L. Hardy, D.D.S., LTD, dba Paradise Family Dental $25,000 Settlement
2022 New England Dermatology and Laser Center $300,640 Settlement
2022 ACPM Podiatry $100,000 Civil Monetary Penalty
2022 Memorial Hermann Health System $240,000 Settlement
2022 Southwest Surgical Associates $65,000 Settlement
2022 Hillcrest Nursing and Rehabilitation $55,000 Settlement
2022 MelroseWakefield Healthcare $55,000 Settlement
2022 Erie County Medical Center Corporation $50,000 Settlement
2022 Fallbrook Family Health Center $30,000 Settlement
2022 Associated Retina Specialists $22,500 Settlement
2022 Coastal Ear, Nose, and Throat $20,000 Settlement
2022 Lawrence Bell, Jr. D.D.S $5,000 Settlement
2022 Danbury Psychiatric Consultants $3,500 Settlement
2022 Oklahoma State University – Center for Health Sciences $875,000 Settlement
2022 Dr. Brockley $30,000 Settlement
2022 Jacob & Associates $28,000 Settlement
2022 Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. $50,000 Civil Monetary Penalty
2022 Northcutt Dental-Fairhope $62,500 Settlement
2021 Advanced Spine & Pain Management $32,150 Settlement
2021 Denver Retina Center $30,000 Settlement
2021 Dr. Robert Glaser $100,000 Civil Monetary Penalty
2021 Rainrock Treatment Center LLC (dba monte Nido Rainrock) $160,000 Settlement
2021 Wake Health Medical Group $10,000 Settlement
2021 Children’s Hospital & Medical Center $80,000 Settlement
2021 The Diabetes, Endocrinology & Lipidology Center, Inc. $5,000 Settlement
2021 AEON Clinical Laboratories (Peachstate) $25,000 Settlement
2021 Village Plastic Surgery $30,000 Settlement
2021 Arbour Hospital $65,000 Settlement
2021 Sharpe Healthcare $70,000 Settlement
2021 Renown Health $75,000 Settlement
2021 Excellus Health Plan $5,100,000 Settlement
2021 Banner Health $200,000 Settlement
2020 Peter Wrobel, M.D., P.C., dba Elite Primary Care $36,000 Settlement
2020 University of Cincinnati Medical Center $65,000 Settlement
2020 Dr. Rajendra Bhayani $15,000 Settlement
2020 Riverside Psychiatric Medical Group $25,000 Settlement
2020 City of New Haven, CT $202,400 Settlement
2020 Aetna $1,000,000 Settlement
2020 NY Spine $100,000 Settlement
2020 Dignity Health, dba St. Joseph’s Hospital and Medical Center $160,000 Settlement
2020 Premera Blue Cross $6,850,000 Settlement
2020 CHSPSC LLC $2,300,000 Settlement
2020 Athens Orthopedic Clinic PA $1,500,000 Settlement
2020 Housing Works, Inc. $38,000 Settlement
2020 All Inclusive Medical Services, Inc. $15,000 Settlement
2020 Beth Israel Lahey Health Behavioral Services $70,000 Settlement
2020 King MD $3,500 Settlement
2020 Wise Psychiatry, PC $10,000 Settlement
2020 Lifespan Health System Affiliated Covered Entity $1,040,000 Settlement
2020 Metropolitan Community Health Services dba Agape Health Services $25,000 Settlement
2020 Steven A. Porter, M.D $100,000 Settlement
2019 Jackson Health System $2,154,000 Civil Monetary Penalty
2019 Texas Department of Aging and Disability Services $1,600,000 Civil Monetary Penalty
2019 University of Rochester Medical Center $3,000,000 Settlement
2019 Touchstone Medical imaging $3,000,000 Settlement
2019 Sentara Hospitals $2,175,000 Settlement
2019 Medical Informatics Engineering $100,000 Settlement
2019 Korunda Medical, LLC $85,000 Settlement
2019 Bayfront Health St. Petersburg $85,000 Settlement
2019 West Georgia Ambulance $65,000 Settlement
2019 Elite Dental Associates $10,000 Settlement
2018* University of Texas MD Anderson Cancer Center $4,348,000 Civil Monetary Penalty
2018 Anthem Inc $16,000,000 Settlement
2018 Fresenius Medical Care North America $3,500,000 Settlement
2018 Massachusetts General Hospital $515,000 Settlement
2018 Brigham and Women’s Hospital $384,000 Settlement
2018 Boston Medical Center $100,000 Settlement
2018 Filefax, Inc. $100,000 Settlement
2017 Children’s Medical Center of Dallas $3,200,000 Civil Monetary Penalty
2017 Memorial Healthcare System $5,500,000 Settlement
2017 Cardionet $2,500,000 Settlement
2017 Memorial Hermann Health System $2,400,000 Settlement
2017 21st Century Oncology $2,300,000 Settlement
2017 MAPFRE Life Insurance Company of Puerto Rico $2,200,000 Settlement
2017 Presense Health $475,000 Settlement
2017 Metro Community Provider Network $400,000 Settlement
2017 St. Luke’s-Roosevelt Hospital Center Inc. $387,000 Settlement
2017 The Center for Children’s Digestive Health $31,000 Settlement
2016 Lincare, Inc. $239,800 Civil Monetary Penalty
2016 Advocate Health Care Network $5,550,000 Settlement
2016 Feinstein Institute for Medical Research $3,900,000 Settlement
2016 University of Mississippi Medical Center $2,750,000 Settlement
2016 Oregon Health & Science University $2,700,000 Settlement
2016 New York Presbyterian Hospital $2,200,000 Settlement
2016 St. Joseph Health $2,140,500 Settlement
2016 North Memorial Health Care of Minnesota $1,550,000 Settlement
2016 Raleigh Orthopaedic Clinic, P.A. of North Carolina $750,000 Settlement
2016 University of Massachusetts Amherst (UMass) $650,000 Settlement
2016 Catholic Health Care Services of the Archdiocese of Philadelphia $650,000 Settlement
2016 Care New England Health System $400,000 Settlement
2016 Complete P.T., Pool & Land Physical Therapy, Inc. $25,000 Settlement
2015 Triple S Management Corporation $3,500,000 Settlement
2015  Lahey Hospital and Medical Center $850,000 Settlement
2015 University of Washington Medicine $750,000 Settlement
2015 Cancer Care Group, P.C. $750,000 Settlement
2015 St. Elizabeth’s Medical Center $218,400 Settlement
2015 Cornell Prescription Pharmacy $125,000 Settlement
2014 New York and Presbyterian Hospital and Columbia University $4,800,000 Settlement
2014 Concentra Health Services $1,725,220 Settlement
2014 Parkview Health System, Inc. $800,000 Settlement
2014 QCA Health Plan, Inc., of Arkansas $250,000 Settlement
2014 Skagit County, Washington $215,000 Settlement
2014 Anchorage Community Mental Health Services $150,000 Settlement
2013 WellPoint $1,700,000 Settlement
2013 Affinity Health Plan, Inc. $1,215,780 Settlement
2013 Idaho State University $400,000 Settlement
2013 Shasta Regional Medical Center $275,000 Settlement
2013 Adult & Pediatric Dermatology, P.C. $150,000 Settlement
2012 Alaska DHSS $1,700,000 Settlement
2012 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. $1,500,000 Settlement
2012 Blue Cross Blue Shield of Tennessee $1,500,000 Settlement
2012 Phoenix Cardiac Surgery $100,000 Settlement
2012 The Hospice of Northern Idaho $50,000 Settlement
2011 Cignet Health of Prince George’s County $4,300,000 Civil Monetary Penalty
2011 General Hospital Corp. & Massachusetts General Physicians Organization Inc. $1,000,000 Settlement
2011 University of California at Los Angeles Health System $865,500 Settlement
2010 Rite Aid Corporation $1,000,000 Settlement
2010 Management Services Organization Washington Inc. $35,000 Settlement
2009 CVS Pharmacy Inc. $2,250,000 Settlement
2008 Providence Health & Services $100,000 Settlement

*In 2021, following an appeal, the civil monetary penalty imposed on the University of Texas MD Anderson Cancer Center by the HHS’ Office for Civil Rights was vacated.

State Attorneys General HIPAA Fines and Other Financial Penalties for Healthcare Organizations

State attorneys general can bring actions against HIPAA-covered entities and their business associates for violations of the HIPAA Rules. Penalties range from $100 per HIPAA violation up to a maximum of $25,000 per violation category, per year.

Only a handful of U.S. states have imposed penalties for HIPAA violations; however, that changed in 2019 when many state Attorneys General started participating in multistate actions against HIPAA-covered entities and business associates that experienced major data breaches and were found not to be in compliance with the HIPAA Rules.

The penalties detailed below have been imposed by state attorneys general for HIPAA violations and violations of state laws. It is common for penalties to be imposed solely for violations of state laws, even though there are corresponding HIPAA violations.

Attorneys General HIPAA Fines (2008 – Apr 2023)

Year State Covered Entity Amount
2023 New York Heidell, Pittoni, Murphy & Bach LLP $200,000
2023 Pennsylvania & Ohio DNA Diagnostics Center $400,000
2022 Oregon & Utah Avalon Healthcare $200,000
2022 Massachusetts Aveanna Healthcare $425,000
2022 New York EyeMed Vision Care $600,000
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000
2021 New Jersey Regional Cancer Care Associates (Regional Cancer Care Associates LLC, RCCA MSO LLC, and RCCA MD LLC) $425,000
2021 New Jersey Diamond Institute for Infertility and Menopause $495,000
2021 Multistate American Medical Collection Agency $21 million (suspended)
2020 Multistate CHSPSC LLC $5,000,000
2020 Multistate Anthem Inc. $39.5 million
2020 California Anthem Inc. $8.7 million
2019 Multistate Premera Blue Cross $10,000,000
2019 Multistate Medical Informatics Engineering $900,000
2019 California Aetna $935,000
2018 Massachusetts McLean Hospital $75,000
2018 New Jersey EmblemHealth $100,000
2018 New Jersey Best Transcription Medical $200,000
2018 Connecticut Aetna $99,959
2018 New Jersey Aetna $365,211.59
2018 District of Columbia Aetna $175,000
2018 Massachusetts UMass Memorial Medical Group / UMass Memorial Medical Center $230,000
2018 New York Arc of Erie County $200,000
2018 New Jersey Virtua Medical Group $417,816
2018 New York EmblemHealth $575,000
2018 New York Aetna $1,150,000
2017 California Cottage Health System $2,000,000
2017 Massachusetts Multi-State Billing Services $100,000
2017 New Jersey Horizon Healthcare Services Inc., $1,100,000
2017 Vermont SAManage USA, Inc. $264,000
2017 New York CoPilot Provider Support Services, Inc $130,000
2015 New York University of Rochester Medical Center $15,000
2015 Connecticut Hartford Hospital/ EMC Corporation $90,000
2014 Massachusetts Women & Infants Hospital of Rhode Island $150,000
2014 Massachusetts Boston Children’s Hospital $40,000
2014 Massachusetts Beth Israel Deaconess Medical Center $100,000
2013 Massachusetts Goldthwait Associates $140,000
2012 MN Accretive Health $2,500,000
2012 Massachusetts South Shore Hospital $750,000
2011 Vermont Health Net Inc. $55,000
2011 Indiana WellPoint Inc. $100,000
2010 Connecticut Health Net Inc. $250,000

Federal Trade Commission Fines and Penalties 2023

In 2009, the Federal Trade Commission (FTC) published a new rule that required vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. The FTC Health Breach Notification Rule applies only to identifying health information that is not covered by HIPAA. The Rule does not apply to HIPAA-covered entities or business associates, which have reporting requirements per the HIPAA Breach Notification Rule.

The FTC issued a policy update in 2021 stating its intention to start actively enforcing compliance. Prior to 2023, no financial penalties had been imposed for breach notification failures but that changed in February 2023.

Entity Company Type Penalty Type Amount Reason
GoodRx Holdings Inc. Telemedicine platform provider Settlement $1,500,000 Failure to notify consumers about the impermissible disclosure of personal and health information to third parties such as Google and Facebook
BetterHelp Inc. Online counseling service provider Settlement $7,800,000 Impermissible disclosure of personal and health information to third parties such as Google and Facebook

Healthcare Data Breach Statistics FAQs

How does the number of data breaches in the healthcare sector compare with other sectors?

An analysis of data breaches recorded on the Privacy Rights Clearinghouse database between 2015 and 2019 showed that 76.59% of all recorded data breaches were in the healthcare sector. This implies the healthcare sector recorded three times as many data breaches as the education, finance, retail, and government sectors combined.

Why are there so many more data breaches in the healthcare sector than in other sectors?

Healthcare data is more valuable on the black market than financial data because financial data is shut down quickly before cybercriminals can make use of it, whereas healthcare data can be used to commit identity theft for much longer. Additionally, organizations in the healthcare sector tend to have larger databases – making them more attractive targets.

It is also the case that organizations in the healthcare sector have stricter breach notification requirements than in other sectors. Certain types of breaches (i.e., ransomware attacks) have to be reported even if it cannot be established data has been compromised. The increasing number of recent ransomware attacks may have influenced the healthcare data breach statistics.

Why has the average HIPAA penalty decreased since 2018 despite increases in the number of breaches and median breach size?

Since 2019, the Office for Civil Rights (OCR) has been running a right of access initiative to clamp down on providers who fail to provide patients with access to their PHI within the thirty days allowed. Because penalties for right of access failures are less than for high-volume data breaches, this has resulted in a decrease in the average HIPAA penalty in recent years.

If a healthcare professional discloses PHI without authorization, is this included in the healthcare data breach statistics?

Because the healthcare data breach statistics are compiled from breaches involving 500 or more records, individual unauthorized disclosures of PHI are not included in the figures. However, if the unauthorized disclosure is investigated by OCR and found to be attributable to willful neglect, any subsequent fines will be included in the settlement statistics.

How can healthcare organizations mitigate data breaches?

There are multiple steps healthcare organizations can take to mitigate data breaches. The most effective step is to encrypt protected health information to render it unusable, unreadable, or indecipherable in the event of a ransomware attack. This will ensure data is not compromised and the attack will not have to be reported to the Office for Civil Rights.

Other steps include implementing two-factor authentication on privileged accounts to mitigate the consequences of credential theft, running checks on all storage volumes (cloud and on-premises) to ensure appropriate permissions are applied, checking network connections for unauthorized open ports, and eliminating Shadow IT environments developed as workarounds,

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy


Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist