The HIPAA Journal posted their 2022 Healthcare Data Breach Report on January 24, 2023. For the first time since 2015, there was a year-over-year decline in the number of healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches.
The study cites that the theft of protected health information places patients, health plan members, and healthcare administers at risk of identity theft and fraud. Cyberattacks are the most common way for healthcare providers and device manufacturers to have data stolen, but this study leaves out the unintentional loss of data, rather than theft. As an example, this loss can happen from a laptop left on a train by a hospital employee, but it can also happen from a discarded or sold copy machine with the hard drive still installed.
Healthcare Data Breach Costs
These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators.
While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records.
There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records. Unauthorized access/disclosure incidents have been decreasing since 2019.
In 2022, 127 healthcare data breaches were self-reported by business associates, but there were 394 reported healthcare data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time. There is no data showing what kind of business associates were involved, but any vendor that handles hardware could be a culprit. From shippers to resellers, the companies that handle decommissioned devices are just as important as the security measures in place for working equipment.