Breaches by the Numbers September 2019

The Department of Health and Human Services Office for Civil Rights (OCR), has reported a staggering increase since this time last year of all forms of breaches of patient PHI.

Note: These figures do not include any 2019 breaches that involved fewer than 500 individuals. A covered entity must notify the Secretary of a PHI breach affecting fewer than 500 individuals within 60 days of the end of the calendar year in which the breach occurred.

There are many reasons for the increase, such as:

  • The current onslaught of ransomware attacks
  • Increased awareness and monitoring by healthcare entities and their business associates.

The table below compares the first eight months of 2018 to the first eight months of 2019.

2018 Jan-Aug 2019 Jan- Aug 2019 % increase
Number of individuals affected 4,680,937 37,104,905 693%
Number of reports 117 312 167%
Covered Entities 97 282 191%
Business Associates 23 73 217%
 
Type of breach
Hacking/IT incident 59 190 222%
Improper media/equipment disposal 3 4 33%
Loss or theft 19 35 84%
# unauthorized access/disclosure 36 83 131%
 
Method of breach
Desktop computer 15 25 67%
Email 39 121 210%
EMR/EHR 9 15 67%
Paper or Film 14 34 143%
Laptops & other devices 22 38 73%
Network servers 18 79 339%