Did you know that in the United States, the HITECH Act requires the Secretary of Health & Human Services to post a list of breaches of unsecured Protected Health Information affecting 500 or more individuals? A “wall of shame” to some, or patterns and analytics to others.
I wanted to see the trends related to breached PHI since 2010. I ran an analysis against all types of breached data, ranging from physical theft to accidental disclosures to cyber incidents and found some interesting patterns. Are we getting better at protecting sensitive data? Are we getting worse? Or, are we about the same?
Between the years 2010 and 2014, US breached PHI records fluctuated consistently between 6 million and 12 million individual’s records per year, very consistently spiking every other year. Not good number but consistently alternation from small(er) to large(r). But, then in 2015… BAM!… 110 million additional breached PHI records (from five large breaches: 79 million records; 11 million records; 10 million records; 4.5 million records; and 3.9 million records) otherwise the trend would have actually been on the decline to just 3 million records. That number (3 million records) would have been the lowest number of breached PHI since 2009 – believe it or not.
Alas, 2015 was a very very bad year for PHI at a whopping 113,267,174 breached records.
Curious, I reran the analysis to illustrate the pattern, minus the 5 large volume breach events. Although fantasy, I wanted to see what the trend would have been without the five biggies. And, viola. There’s that sawtooth again (up, down, up, down).
2016 was another terrible year for PHI breached records, at 16.7 million records.
But here’s a little bit of good news, 2017 yielded the lowest number of breached PHI records since 2009 at 5,138,179 records according into the US Department of Health & Human Services (HHS). Although the number of hacking incidents increased dramatically from 2015 to 2017, the actual number of breached PHI records (having been reported to HHS) is indeed declining.
This offset is most likely due to PHI handlers implementing more effective data encryption practices. While hacking incidents is expected to increase in 2018, the trend on breached PHI records is looking promising thus far.
Q1 2018
In the first three months of 2018, the number of breached PHI records was 573,527. If the remainder of the year continues on the current trend, then we may see an all-time low in the number of breached PHI records at 2.2 millions records.
More optimistically, 2017 saw about one-third the breached PHI records compared to 2016. Perhaps, we will find that 2018 will net less than one-third the count from 2017 (something around 1.6 million). I’m going to make a prediction that the total PHI breached records count for 2018 will be 1.6 million. I guess, by next January we’ll know how that turned out.
While we all aim for zero, it’s really encouraging to see the sawtooth pattern going away, and the annual totals beginning to steadily decline.
Till next time,
Ed