Accurate HIPAA violation statistics can be difficult to come by due to the way in which HHS´ Office for Civil Rights reports violations. It can also be the case that the cause of a violation is miscategorized by the entity reporting it – who may not be the entity responsible for the violation.
As of September 2022, HHS´ Office for Civil Rights has received more than 300,000 reports of HIPAA violations. The majority have not presented an eligible case for enforcement; and, of those that have, more than 80,000 have been resolved via technical assistance and Corrective Action Plans. To date, only 126 entities have been issued a Civil Monetary Penalty or reached a financial settlement.
Additionally, despite having resolved more than 80,000 reports of HIPAA violations, there are fewer than 5,000 entries on HHS´ Office for Civil Rights “Breach Report”. This is because under the HITECH Act, the Department of Health and Human Services (HHS) is only required to publish data breaches affecting 500 or more individuals. Consequently, there are few public records of data breaches affecting fewer than 500 individuals or of HIPAA violations that did not result in a data breach.
This creates an issue in compiling HIPAA violation statistics because, from HHS´ enforcement highlights web page, we know that one of the top three HIPAA violations is the failure of Covered Entities to provide patients with access to their Protected Health Information (PHI). However, because this type of violation is notified individually, and because it does not involve a breach of unsecured PHI, it is not reported how frequently this type of HIPAA violation occurs.
Trends in HIPAA Violation Statistics
In addition to the difficulty in compiling accurate HIPAA violation statistics because of the way in which HHS´ Office for Civil Rights reports violations, it can also be difficult to identify trends in HIPAA violation statistics due to violations being reported multiple times and the cause of violations being miscategorized. A prime example of how difficult it is to identify trends in HIPAA violation statistics comes from the 2015 Anthem data breach in which 78.8 million unsecured records were disclosed.
Because Anthem was the parent company of a Business Associate providing a service to multiple Covered Entities, the breach is recorded eighteen times on the breach report. Furthermore, although the breach occurred due to an employee interacting with a phishing email, all eighteen entries attribute the breach to a “Hacking/IT Incident” on a “Network Server” rather than an “Unauthorized Access/Disclosure” due to an “Email”. This is not the only example of a breach being miscategorized.
Nonetheless, from the data available, we have created a graphic that demonstrates the increasing number of reported data breaches attributable to hacking and IT incidents. Various reasons are suggested for the significant increase between 2013 and 2017 including the growth of cloud computing, an upsurge of participation in the Meaningful Use incentive program, and Presense Health´s $475,000 fine for failing to comply with the Breach Notification requirements.
Hacking Accounts for More Than Half of Disclosed Records
By digging deeper into the HIPAA violation statistics published by HHS´ Office for Civil Rights, it is possible to see that hacking and IT incidents accounts for more than half the records ever disclosed in data breaches. According to the breach report, only 1% of data breaches have disclosed more than 1 million records, yet they represent 64% of all records disclosed. Notably, 87.5% of the largest data breaches recorded in the breach report were attributable to hacking.
Overall, 82% of all data breaches are categorized as hacking and IT incidents – although it is important to note not all are attributable to external actors. A number of “assumed” data breaches are reported following the identification of misconfigured servers. These are “assumed” data breaches because there is no telling whether data has been accessed or not, and therefore it is not possible to demonstrate the “low probability threshold” that a data breach has not occurred.
However, when it comes to smaller data breaches in which between 500 and 1,000 records have been disclosed, hacking has a much smaller part to play. As the graphic below illustrates, data breaches in the unauthorized access and theft categories account for more than half of disclosed records – a closer look at the data breaches revealing that the majority of unauthorized access and theft events are attributable to an internal bad actor or human error.
It’s Not Only the Nature of Violations that is Misreported
Under the Privacy Rule (§164.504), the Security Rule (§164.314), and the Breach Notification Rule (§164.410), Business Associates are required to inform Covered Entities of security incidents and breaches of unsecured PHI. It is then the responsibility of the Covered Entity to conduct a risk assessment in order to determine whether or not a breach is reportable, and then – if it is reportable – notify affected individuals and HHS´ Office for Civil Rights via the notification portal.
However, the notification portal gives organizations three options – one of which enables Business Associates to self-report data breaches:
- Are you a Covered Entity who experienced a breach and are filing on behalf of your organization?
- Are you a Business Associate who experienced a breach and are filing on behalf of a Covered Entity?
- Are you a Covered Entity filing because your Business Associate experienced a breach?
Unfortunately, the HIPAA violation statistics published by HHS´ Office for Civil Rights count the third option as a report made by a Covered Entity – even though it was the Business Associate that experienced a breach. Consequently, any HIPAA violation statistics distinguishing between HIPAA violations by Covered Entities and HIPAA violations by Business Associates misreport the number of data breaches attributable to health plans and healthcare providers and their Business Associates.
The Top Ten States for Data Breaches
Issues with HIPAA violation statistics are not only attributable to the way in which data breaches are reported, the way in which violations are categorized, or who enters them on the notification portal. They can also be attributable to how they are interpretated. This is why you may find a different top ten states for data breaches depending on how the source of the information has interpreted the HIPAA violation statistics. For example:
- Some sources may place Indiana at the top of the list because that is where Anthem´s head office is located.
- Other sources may place Minnesota at the top of the list because the number of data breaches per head of population.
- Other sources may place Illinois at the top of the list due to being the state with the fastest accelerating rate of data breaches.
We have chosen to place California at the top of our top ten states for data breaches purely on the number of data breaches reported by Covered Entities and Business Associates in 2021. However, it is noticeable that the number of reported data breaches has fallen year-on-year in many states; and this trend appears to be continuing through 2022. Only New York looks likely to surpass its breach notification total from 2021 out of our top ten states for data breaches.
HIPAA Violation Statistics: The Fines
We conclude this look at the HIPAA violation statistics by discussing the Civil Monetary Penalties and settlements HHS´ Office for Civil Rights has collected over the years. As you might suspect, the largest ever settlement was that reached with Anthem over the colossal breach in 2015. However, the $16 million settlement was only the start. Anthem was fined a further $46.2 million by State Attorneys General and settled a subsequent class action lawsuit for $115 million.
It was mentioned at the beginning of the article that HHS´ Office for Civil Rights has only issued a Civil Monetary Penalty or reached a financial settlement in 126 cases. However, between these cases, the agency has collected more than $133 million. These funds are currently paid into the U.S. Treasury General Fund, but – in April 2022 – HHS issued a Request for Information seeking comments on a yet-to-be-enacted clause of the HITECH Act that advocates “settlement sharing” with individuals who have experienced harm as a consequence of a data breach.
It is worth noting that the remaining 80,000 entities found to have violated HIPAA – but whose cases were resolved via technical assistance or a Corrective Action Plan – have not “escaped punishment”. Depending on the nature of the violation and the measures required to correct it and prevent it happening again, complying with a Corrective Action Plan can incur significant indirect costs due to the implementation of new policies and procedures, retraining workforces, and business disruption.
Consequently, to avoid becoming a part of the HIPAA violation statistics and incurring avoidable costs, it is best for Covered Entities and Business Associates to comply with HIPAA. At HIPAAnswers.com, we aim to answer any questions you have about HIPAA and HIPAA compliance. However, every Covered Entity is different and has unique risks and challenges. Therefore, it can be in your best interests to seek professional compliance advice whenever necessary.