Key Takeaways:
Since April 2003, the OCR has received over 369,107 complaints related to HIPAA violations.
In 2022, an average of 1.94 healthcare data breaches involving 500 or more records occurred daily.
From January 1, 2018, to September 30, 2023, hacking-related data breaches surged by 239%.
In 2023, more than 133 million records were either exposed or impermissibly disclosed.
In 2023, there were 26 breaches that affected more than 1 million records each.
The largest financial penalty for a HIPAA violation occurred in 2018 when Anthem Inc. paid $16 million for its 2015 data breach.
There was a staggering 450% increase in Right of Access fines from 2019 to 2022.
HIPAA Complaints and Compliance Reviews
Since April 2003, the OCR has received over 369,107 complaints related to HIPAA violations.
The OCR has launched more than 1,191 compliance reviews in response to potential HIPAA breaches.
Out of all cases, the OCR has successfully resolved 99% (365,993) of them.
Over 31,071 cases have been investigated and resolved by the OCR, requiring changes in privacy practices, corrective actions, or technical assistance.
In 15,417 instances, OCR's investigations concluded that no violations had occurred.
Early intervention by the OCR provided technical assistance without a formal investigation in 66,397 cases.
In 2020 alone, the OCR initiated 220 audits and 9,136 investigations concerning HIPAA compliance.
A staggering 60% of organizations expressed doubts about their ability to pass a HIPAA audit confidently.
Only 34% of organizations have fully documented their HIPAA compliance measures.
99% of businesses consider HIPAA compliance essential to their operations.
1 out of 7 organizations currently lacks a designated Compliance Officer.
As of September 2022, the HHS Office for Civil Rights has handled over 300,000 reports of HIPAA violations.
More than 80,000 cases have been resolved through technical assistance and Corrective Action Plans.
The HHS Office for Civil Rights has settled another 80,000 HIPAA violation cases using Corrective Action Plans or technical assistance.
Data Breaches Reported to OCR
In 2022, 720 data breaches involving 500 or more records were reported to the OCR.
In 2023, this number slightly increased, with 725 data breaches involving 500 or more records reported to the OCR.
Between October 2009 and December 31, 2023, the OCR recorded 5,887 large healthcare data breaches.
As of January 22, 2023, there were 857 data breaches listed on the OCR breach portal that were still under investigation.
On the same date last year, 882 data breaches were still under investigation.
In 2020, 599 data breaches in the healthcare sector affected a staggering 26 million individuals.
In 2022, an average of 1.94 healthcare data breaches involving 500 or more records occurred daily.
The healthcare sector accounted for 79% of all reported data breaches.
58% of breaches were attributed to hacking or IT-related incidents.
Despite having resolved over 80,000 reports, fewer than 5,000 entries appear on the HHS' Office for Civil Rights "Breach Report."
The HHS is only obligated to publish breaches impacting 500 or more individuals under the HITECH Act.
Breach Statistics Over Time
From January 1, 2018, to September 30, 2023, hacking-related data breaches surged by 239%.
During the same period, ransomware attacks saw an alarming 278% increase.
In 2019, 49% of all reported data breaches were caused by hacking incidents.
By 2023, hacking accounted for a staggering 80% of all data breaches.
In 2018, healthcare organizations experienced data breaches at a rate of approximately 1 per day.
By 2023, the rate had almost doubled, with an average of 1.99 breaches per day in the healthcare sector.
Data breaches have consistently been on the rise over the last 14 years.
In 2020 alone, 599 data breaches were reported in the healthcare industry.
By 2022, healthcare organizations were reporting an average of 1.94 breaches per day.
Only 1% of breaches exposed more than 1 million records, yet they accounted for 64% of all records disclosed.
A vast majority, 82%, of all data breaches have been classified as hacking or IT-related incidents.
A significant 87.5% of the largest data breaches recorded in the breach report were due to hacking activities.
Records Exposed in Data Breaches
In 2023, more than 133 million records were either exposed or impermissibly disclosed.
In 2021, 45.9 million healthcare records were breached.
The number of records breached in 2022 rose to 51.9 million.
By 2023, the number of breached records surged to 133 million.
The largest data breach in 2023 impacted 11,270,000 individuals.
Between October 2009 and December 31, 2023, a staggering 519,935,970 healthcare records were exposed or impermissibly disclosed.
In 2023, there were 26 breaches that affected more than 1 million records each.
Four breaches in 2023 alone affected over 8 million records.
The PJ&A data breach impacted 8,952,212 individuals, with the total affected surpassing 13 million.
In 2023, an average of 364,571 healthcare records were breached per day.
Prior to 2023, the worst year for data breaches was 2015, with more than 112 million records exposed.
In 2020, 599 reported breaches affected 26 million individuals.
The 2015 Anthem data breach exposed 78.8 million unsecured records.
The PJ&A data breach impacted 8,952,212 individuals, with the total number affected exceeding 13 million.
The average cost of a healthcare data breach is $7.13 million, surpassing the global industry average.
Notable Data Breaches and Settlements
The 2015 Anthem data breach impacted 78.8 million individuals.
In 2015, breaches at Premera Blue Cross and Excellus each affected over 10 million individuals.
The Eye Care Leaders breach in 2022 compromised 39 HIPAA-covered entities and exposed the data of more than 3.09 million individuals.
The American Medical Collection Agency breach in 2019 affected over 25 million individuals.
The largest financial penalty for a HIPAA violation occurred in 2018 when Anthem Inc. paid $16 million for its 2015 data breach.
Premera Blue Cross reached a $6.85 million settlement in 2020 for its 2015 HIPAA breach.
In 2021, Excellus Health Plan agreed to pay $5 million as part of its HIPAA settlement for the 2015 breach.
The OCR levied $13.5 million in HIPAA fines in 2020, with the largest individual fine being $6.85 million.
The 2015 Anthem data breach appeared eighteen times on the breach report.
The largest settlement for a HIPAA breach was with Anthem for $16 million, followed by
$46.2 million in fines from State Attorneys General and a $115 million class action settlement.
Business Associates vs. Healthcare Providers
In 2023, breaches involving business associates resulted in the exposure or theft of more than 93 million records.
Healthcare providers experienced breaches that compromised 34.9 million records in 2023.
In April 2023, business associates reported 13 incidents that impacted 4,077,019 patients, accounting for 92.2% of all affected patients.
Accidental negligence is twice as likely to occur compared to malicious negligence.
OCR Enforcement Actions and Penalties
The OCR has settled or imposed civil money penalties in 147 cases, amounting to a total of $143,728,972.
In 2020, the OCR took 19 enforcement actions, leading to settlements.
2021 saw a reduction in the number of financial penalties issued by the OCR.
The year 2022 set a record with 22 penalties imposed, the highest number in a single year to date.
From September 2019 to December 2023, 46 penalties were imposed specifically for HIPAA Right of Access violations.
In 2018, the OCR collected $28,683,400 in payments from HIPAA violation penalties.
In 2016, OCR payments from HIPAA violations amounted to $23,505,300.
Due to a review of HITECH Act language, the OCR reduced penalty caps in 3 of 4 penalty tiers.
In 2022, 55% of financial penalties were imposed on small medical practices.
The OCR imposed $13.5 million in HIPAA fines in 2020, with the largest single fine being $6.85 million.
In 2022, the average HIPAA fine was $98,643.
As of May 2nd, 2023, nearly 40% of HIPAA fines were for Right of Access violations.
There was a staggering 450% increase in Right of Access fines from 2019 to 2022.
The years 2021 and 2022 saw more HIPAA fines issued than in any previous year.
Only 126 entities have either been issued a Civil Monetary Penalty or reached a financial settlement with the OCR.
The HHS Office for Civil Rights has collected over $133 million from the 126 cases involving HIPAA violations.
Reduce your risk. Work with vendors who understand healthcare and the challenges associated with patient communication and data.
Dialog Health is leading the way in HIPAA-compliant patient and staff engagement.
In healthcare, privacy is paramount – for providers and vendors alike. Dialog Health's platform adheres to the latest HIPAA, TCPA, and CTIA standards. Our software was built for healthcare and your trust in our HIPAA-compliant text messaging solution is well-placed.
SOURCES:
留言