Analysis of HIPAA Breaches

Intro

In just the first four months of 2019, 103 breaches were reported to the Office for Civil Rights. In total these breaches affected 3,602,858 individuals. Even with patient privacy being a concern for many health providers the industry is falling short in protecting sensitive data. Across the US, companies are reporting incidents of theft, unauthorized access, and hacking.

Breaches over time

The Office for Civil Rights publishes a dataset of reported breaches going back as far as 2009. If we graph the number of breaches reported each month over the past 9 years the trend is clear. We can also see a few months with a high number of “Individuals Affected” around 2015 (represented by the size of the dot). The most notable being the Anthem breach reported in February 2015 which affected 78,800,000 people.

Types of Breaches

The most common types of breaches are hacking, theft, and unauthorized access. Breach repors can contain multiple breach types, so some parsing had to be done in order to create a meaningful chart on this field. The graph below shows the number of reported breaches per month distinguished by their breach type using color. The size of the dot, similar to our previous chart, shows the relative sum of the records (i.e. individuals affected) for the breaches in the month.

A few things stand out in this chart. Most notably that the reporting of theft has been declining sharply and the reports of unauthorized access and hacking have been increasing. My hypothesis on why the reports of theft have dropped is that the prevalence of encrypted storage has increased. This is a purely anecdotal observation from my experience in IT Risk over the past 10 years, but it makes sense. If a laptop is stolen but its hard drive is encrypted, OCR does not consider the data on that hard drive accessible to an unauthorized user and therefore would not constitute a reportable breach.

My other observation is that the biggest breaches (i.e. ones that affect the most individuals) are related to hacking. When you combine that with the increase in hacking incidents it paints a dire picture for individual privacy.

Breach Map

Total Breaches by State

The map below shows the total number of breaches by state. At first glance, it appears as though covered entities in California, Texas, and Florida have much higher occurrences of data breaches than covered entities in other states. However, this map looks a lot like a map of state populations from the 2015 census.

## Warning: Ignoring unknown parameters: lines

Population Map

There appears to be a correlation between the number of breaches in each state and the population. It might be worth exploring this further. I’d want to test the hypothesis that a higher population means more covered entities (i.e. hospitals) which are available to be breached in a given state. The next graph shows a more normal distribution of breaches across the US.

## Warning: Ignoring unknown parameters: lines

Breaches by Population

I normalized the breaches by dividing the number of breaches by the total state population. I expect this represents a more accurate picture, but statistical analysis would need to be done to determine whether a particular state is more likely to have a breach than others.

## Warning: Ignoring unknown parameters: lines

Covered Entities

Most Breached Entities

I also wanted to see which covered entities incurred the most breaches. I found quality issues with the covered entity name column. I used a clustering algorithm to automatically group like names, then created a “mapping table” of rules based on those clusters. After running the mapping table logic, I was able to count all the breaches by entity and get a more accurate picture of the covered entities with the most reported breaches.

Conclusion

Cyber criminals are attacking organizations of all sizes and industry verticals as IT and Security departments struggle to keep up with the latest threats. The Healthcare industry has seen an increase in the number of breaches over the past few years, especially those related to hacking. Understanding the threat landscape is an important part of increasing the privacy protections over patient data and identifying solutions that reduce breaches.

Avatar
Michael Molloy
Senior Manager, IT Risk & Security

vCISO | Cybersecurity | IT Compliance | Data Analytics