Each year, many news sites add up the number of reports on HHS’s public breach tool and then add up the number of records reported for those incidents. For 2023, that came to 725 reports and about 135 million records. Those numbers are disturbing, but not as disturbing as the numbers out today by Protenus.
Protenus’s annual Breach Barometer® uses a somewhat different collection and analysis approach to breaches of medical or patient data involving U.S. entities. For 2023, they reported 1,161 reports and 171,139,241 breached records for the reports where numbers were available:
A staggering 171 million patient records were breached in 2023. This number includes both breaches reported to HHS under HIPAA and incidents involving health data not covered by HIPAA but held by U.S. entities. A further breakdown of the data shows that in 2023, there were 1,161 reports published on both covered and non-covered entities (Figure 1), impacting a total of 171,139,241 breached records (Figure 2). For comparison, in 2022 there were 1,138 reports affecting a total of 59,664,152 breached records.
[…]
Year over year, the number of breaches reported increased 2% in 2023: while the number of actual incidents dropped 1%, to 942 in 2023, compared to 956 in 2022 and 905 in 2021. However, the number of patient records affected in 2023 was up 187% over 2022, when a total of 171,139,241 patient records were compromised (320% over 2020) in 942 incidents where this measure of breach impact was known.
As Protenus reports, the true number of breached records is unknown because although numbers are reported for each report to HHS on its public breach tool:
- In more than 50 cases, reporting entities used “markers” of 500 or 501 for the number affected if they did not yet know the true number or scope;
- Reports to states or or those affected are not generally not required by law to include the total number affected;
- Most states do not require reports to be sent to a central state agency that makes them available; and
- It was often difficult to know whether a business associate report was for all of its clients or only some of them.
In previous reports, Protenus provided subcategory data on ransomware attacks vs. hacking incidents that did not involve encryption. That analysis was abandoned for the 2023 data because entities were so non-transparent in disclosures that it was often impossible to determine if an incident was a ransomware attack or not.
The 2024 Breach Barometer® also looks at HHS OCR’s response to breaches and HHS’s 2022 annual report released last month. Of special note here, for 2022, HHS OCR reported three instances in which their investigation resulted in resolution agreements with monetary penalties and corrective action plans. It is clear that HHS prefers an educational approach to a punitive approach, and they report an unspecified number of investigations that resulted in voluntary corrective action by entities with HHS’s assistance, but only three resolution agreements with monetary penalties? What should we expect to see for 2023 when so many entities did not disclose timely and often allegedly failed to comply with the HIPAA Security Rule?
The full report can be found at https://www.protenus.com/breach-barometer-report
DataBreaches.net has been proud to collaborate with Protenus on its annual reports each year because Protenus truly appreciates how even small-N incidents like an employee snooping on a few patients’ records are a serious problem. Stop by their site, make a call, or drop Protenus a line to find out more about how they can help you prevent and monitor for unauthorized insider activity.