Breaches of Health Information (US 2010 – 2015)

A research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.

We extend the original dataset of Liu et. al. to include breaches of health information up to the present. 2

Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.

Counts and Victims of Health Information Breaches - US 2010-2015
Table 1. Number of incidents and victims of breaches of health information. † 2015 data are for January – August inclusive only.

The most striking feature is the fluctuation in the number of victims over time generally – and the tremendous spike in the number of victims in 2015 particularly.

Figure 1 depicts the distribution of victims/breach of health information as a series of boxplots.

Distribution of number of victims/incident (log scale) of breach of health information U.S. 2010-2015
Figure 1. Distribution of victims/incident (log scale) of breach of health information. † 2015 data are for January – August inclusive only.

We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.

Table 2 presents the Medians and Inter-Quartile Ranges of the distributions of victims/breach.

Median and IQR of Victims of Health Information Breaches - US 2010-2015
Table 2. First Quartile (Q1), Median, Third Quartile (Q3), and Inter-Quartile Range (IQR) of the distribution of victims/incident of breach of health information. † 2015 data are for January – August inclusive only.

The median number of victims of breaches of health is tending to increase over time, with a related increase in the dispersion of the number of victims/breach about the median.

Our focus in a few subsequent posts will be understanding the dynamics and implications of those breaches that have compromised the health information of 100,000+ patients.

Name Date Victims
Affinity Health Plan, Inc. 2010-04-14 344,579
Millennium Medical Management Resources, Inc. 2010-04-29 180,111
AvMed, Inc. 2010-06-03 1,220,000
Siemens Medical Solutions, USA, Inc 2010-06-04 130,495
Governor’s Office of Information Technology 2010-07-09 105,470
Iron Mountain Data Products, Inc. (now known as 2010-07-19 800,000
BlueCross BlueShield of Tennessee, Inc. 2010-11-01 1,023,209
Triple-S Management, Corp.; Triple-S Salud, Inc.; 2010-11-04 475,000
Medical Card System/MCS-HMO/MCS Advantage/MCS Life 2010-11-09 115,000
Ankle + Foot Center of Tampa Bay, Inc. 2011-01-03 156,000
Seacoast Radiology, PA 2011-01-10 231,400
GRM Information Management Services 2011-02-11 1,700,000
EISENHOWER MEDICAL CENTER 2011-03-30 514,330
Oklaholma State Dept. of Health 2011-04-11 132,940
IBM 2011-04-14 1,900,000
NA 2011-05-27 400,000
The Nemours Foundation 2011-10-07 1,055,489
Science Applications International Corporation (SA 2011-11-04 4,900,000
Sutter Medical Foundation 2011-11-17 943,434
Utah Department of Technology Services 2012-04-11 780,000
Emory Healthcare 2012-04-18 315,000
South Carolina Department of Health and Human Services 2012-04-24 228,435
Memorial Healthcare System 2012-08-16 105,646
Alere Home Monitoring, Inc 2012-10-18 116,506
Crescent Health Inc. – a Walgreens Company 2013-02-22 109,000
Digital Archive Management 2013-05-07 189,489
RCR Technology Corporation 2013-07-01 187,533
Shred-it International Inc. 2013-07-11 277,014
Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group 2013-08-23 4,029,530
AHMC Healthcare Inc. and affiliated Hospitals 2013-10-25 729,000
Horizon Healthcare Services, Inc 2014-01-03 839,711
Triple-C, Inc. 2014-01-24 398,000
St. Joseph Health System 2014-02-05 405,000
Indian Health Service 2014-04-01 214,000
Sutherland Healthcare Solutions, Inc. 2014-05-22 342,197
Montana Department of Public Health and Human Services 2014-07-07 1,062,509
Community Health Systems Professional Services Corporation 2014-08-20 4,500,000
Xerox State Healthcare, LLC 2014-09-10 2,000,000
Touchstone Medical Imaging, LLC 2014-10-03 307,528
Walgreen Co. 2014-12-15 160,000
Georgia Department of Community Health 2015-03-02 557,779
Georgia Department of Community Health 2015-03-02 355,127
Virginia Department of Medical Assistance Services (VA-DMAS) 2015-03-12 697,586
Anthem, Inc. Affiliated Covered Entity 2015-03-13 78,800,000
Premera Blue Cross 2015-03-17 11,000,000
Advantage Consolidated LLC 2015-03-18 151,626
CareFirst BlueCross BlueShield 2015-05-20 1,100,000
Beacon Health System 2015-05-22 306,789
University of California, Los Angeles Health 2015-07-17 4,500,000
Medical Informatics Engineering 2015-07-23 3,900,000
Empi Inc and DJO, LLC 2015-08-20 160,000

 

  1.  Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.
  2. Our source of data is the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, Office for Civil Rights, U.S. Department of Health and Human Services, accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf on September 1, 2015.