Introduction
In today’s world of advanced technology and interconnectedness, data breaches have become a significant concern for individuals and organizations alike. With millions of people’s sensitive information compromised each year, the impact of these breaches can be devastating.
The US Health and Human Services (HHS) maintains a public list of healthcare data breaches called the “Wall of Shame.” This list was created as part of the Health Insurance Portability and Accountability Act (HIPAA) to promote the protection of patient privacy and their protected health information (PHI). The Breach Notification Portal is the official name of this list, and it includes reported breaches affecting 500 or more individuals. Covered entities (CEs) and their business associates (BAs) must follow HIPAA guidelines to reduce the risk of a breach and avoid being listed on the Wall of Shame. The information on the Wall of Shame includes the CE’s name, state of residence, type of CE, number of affected individuals, breach submission date, type of breach, and location of the breach. The data from the Wall of Shame can be used to combat data breaches, identify insider mistakes or outside threats, and provide evidence about threat actors and their common vectors of attack to help IT officials combat future attacks.
| Column | Description |
|---|---|
| Name of Covered Entity | Organization responsible for the PHI |
| State | US State where the breach was reported |
| Covered Entity Type | Type of organization responsible for the PHI |
| Individuals Affected | Number of records affected by the breach |
| Breach Submission Date | Date the breach was reported by the CE |
| Loaction of Breach | Where was the PHI when unauthorized access was obtained |
| Type of Breach | How unauthorized access to the PHI was obtained |
| Business associate present | Was a business associate such as a consultant or contractor involved in the breach |
| Web Discription | A optional statement explaining what happened and the resolution |
Sumary Stats
| State | total_affected |
|---|---|
| IN | 79576765 |
| FL | 6001825 |
| VA | 5158001 |
| IL | 4692107 |
| TX | 4040208 |
The table shows the top five states in the US with the total number of breaches they had. Indiana (IN) had the highest number of breaches, with a total of 79,576,765 affected individuals. Florida (FL) had the second-highest number of breaches, with 6,001,825 affected individuals, followed by Virginia (VA) with 5,158,001, Illinois (IL) with 4,692,107, and Texas (TX) with 4,040,208 affected individuals.
What are those Large Companies that had Breaches
| State | Name of Covered Entity | total_affected |
|---|---|---|
| IN | Anthem, Inc. Affiliated Covered Entity | 78800000 |
| VA | Science Applications International Corporation (SA | 4900000 |
| IL | Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | 4029530 |
| FL | 21st Century Oncology | 2213597 |
| TX | Xerox State Healthcare, LLC | 2000000 |
| NY | IBM | 1900000 |
| NJ | GRM Information Management Services | 1700000 |
| FL | AvMed, Inc. | 1220000 |
| MT | Montana Department of Public Health & Human Services | 1062509 |
| FL | The Nemours Foundation | 1055489 |
This table displays the top five covered entities in the United States that have experienced data breaches resulting in the largest number of individuals affected. The table includes the name of the state, the name of the covered entity, and the total number of affected individuals.
Notably, the state of Florida has three covered entities in the top ten, while New York, New Jersey, and Montana each have one. This table emphasizes the importance of maintaining data privacy and the need for covered entities to implement strong security measures to prevent data breaches.
Average affected by State
| State | AVG Affected |
|---|---|
| IN | 1560328.73 |
| VA | 191037.07 |
| NJ | 152589.80 |
| MT | 115651.90 |
| UT | 79660.91 |
| NH | 59834.75 |
| PR | 54997.29 |
| IL | 54559.38 |
| FL | 48401.81 |
| AL | 43256.68 |
Indiana still ranks the highest in terms of average number of affected individuals per breach, which can be largely attributed to the massive Anthem breach. Florida, however, has dropped down to 9th, indicating that it may not be as bad as initially thought. Virginia had a lower total number of affected individuals, but a higher average per breach, which suggests that some states may experience more frequent breaches, while others may be more susceptible to larger-scale breaches.
Average affected by Industry
| Covered Entity Type | total_affected |
|---|---|
| Health Plan | 430357.68 |
| Business Associate | 59113.34 |
| Healthcare Provider | 17469.74 |
| Healthcare Clearing House | 4438.50 |
The table provides a breakdown of the number of affected individuals by the type of entity responsible for the data breaches. Health plans appear to be the highest offenders, with an average of over 430,000 individuals affected per breach. Business associates are the second highest on the list with an average of over 59,000 individuals affected per breach, followed by healthcare providers with an average of around 17,500 individuals affected per breach. It is surprising to note that healthcare providers are not the highest offenders in this list, considering their access to sensitive patient information. It is interesting to see the contrast between business associates and healthcare providers and their average number of breaches. These results suggest the need for improved data security measures across all types of entities that handle sensitive information.
Busniuss Accociates Leaking the Data
While data breaches continue to be a major concern for both individuals and businesses alike, it’s important to identify the sources of these breaches in order to prevent them from happening in the future. In this next data table, we’ll be looking at the top Business Associates that have been responsible for leaking data, so we can gain a better understanding of where our data might be at risk.
| State | Name of Covered Entity | Covered Entity Type | Individuals Affected |
|---|---|---|---|
| VA | Science Applications International Corporation (SA | Business Associate | 4900000 |
| TX | Xerox State Healthcare, LLC | Business Associate | 2000000 |
| NY | IBM | Business Associate | 1900000 |
| NJ | GRM Information Management Services | Business Associate | 1700000 |
| NJ | Horizon Healthcare Services, Inc., doing business as Horizon Blue Cross Blue Shield of New Jersey, and its affiliates | Business Associate | 839711 |
| PA | Iron Mountain Data Products, Inc. (now known as | Business Associate | 800000 |
| UT | Utah Department of Technology Services | Business Associate | 780000 |
| NJ | Sutherland Healthcare Solutions, Inc. | Business Associate | 342197 |
| TX | Shred-it International Inc. | Business Associate | 277014 |
| TX | Digital Archive Management | Business Associate | 189489 |
The table provides information on the top 10 business associates that have experienced data breaches affecting a large number of individuals. Science Applications International Corporation (SA), Xerox State Healthcare, LLC, and IBM are the top three on the list, with SA being the most affected entity, affecting 4.9 million individuals in Virginia. It is concerning to note that the breach has affected such a large number of individuals, potentially compromising their personal information. The fact that these large, reputable companies were breached underscores the importance of cybersecurity measures in today’s increasingly digital world.
Interestingly, the ninth entity on the list is Shred-it International Inc., which is a company that specializes in secure document destruction. It is surprising to see that a company specializing in data security had a data breach. However, after looking into the particular incident, there is no further information to explain the cause of their breach.
##In which year (or years) were there at least 50 breaches from a ‘Business Associate’ covered entity type and at least 150 breaches from a healthcare provider covered entity type?
| Year1 | Business Associate Breaches | Health Care Breaches |
|---|---|---|
| 2013 | 64 | 187 |
| 2014 | 67 | 179 |
The table provides data on healthcare data breaches for two consecutive years, 2013 and 2014. The data is divided into two categories: Business Associate Breaches and Health Care Breaches.
According to the data, there were 64 reported Business Associate Breaches in 2013 and 67 in 2014. Meanwhile, there were 187 reported Health Care Breaches in 2013 and 179 in 2014.
The data suggests that while the number of reported Business Associate Breaches increased slightly from 2013 to 2014, the number of reported Health Care Breaches decreased over the same period.
How has the type of breach (hacking, improper disposal, loss, etc.) changed for each year?
| Year | Theft | Improper disposal | Loss | Hacking | Unauthorized Access/Disclosure | Unknown | Other |
|---|---|---|---|---|---|---|---|
| 2009 | 15 | 0 | 1 | 0 | 0 | 0 | 2 |
| 2010 | 135 | 10 | 20 | 8 | 10 | 0 | 23 |
| 2011 | 122 | 7 | 18 | 17 | 34 | 7 | 2 |
| 2012 | 124 | 8 | 20 | 17 | 40 | 2 | 20 |
| 2013 | 131 | 13 | 24 | 27 | 73 | 3 | 19 |
| 2014 | 111 | 11 | 30 | 37 | 98 | 1 | 28 |
| 2015 | 64 | 6 | 23 | 25 | 80 | 0 | 0 |
| 2016 | 46 | 7 | 12 | 71 | 96 | 0 | 0 |
| 2017 | 17 | 4 | 9 | 32 | 43 | 0 | 0 |
| 2018 | 0 | 0 | 0 | 0 | 1 | 0 | 0 |
The data indicates that the number of security incidents reported increased over time until 2014, after which there was a sharp decline. The most common types of security incidents reported were Unauthorized Access/Disclosure and Hacking. However, there were a significant number of incidents classified as “Unknown” or “Other,” suggesting the need for improvement in the organization’s reporting and tracking processes. It is also important to note that there were no reported incidents in 2018, but it is possible that there were unreported incidents. Overall, the table highlights the importance of maintaining good security practices and processes to minimize security incidents and protect sensitive information.
Visuals
Number of healthcare data breaches by year
The graph provides a visual representation of the number of individuals
affected by healthcare breaches over time. It is clear from the graph
that there are two peaks in the number of individuals affected,
occurring in the years 2013-2014. This highlights the significance of
breaches that occurred during these years, potentially affecting a large
number of individuals and causing significant harm.
Total healthcare records (individuals affected) exposed by state for the top 10 states
The data presented in the graph shows the average number of individuals
affected by healthcare breaches in each state. Interestingly, Indiana
has the highest average number of individuals affected, suggesting that
there have been significant breaches in the state. It is worth noting
that this average is heavily influenced by a single incident involving
Anthem, which affected over 78 million individuals in 2015. If we
removed Anthem from the dataset, it is likely that the average for
Indiana would be closer to the averages of other states.
However, even without the Anthem breach, Virginia emerges as the runner-up with the second-highest average number of individuals affected by healthcare breaches. This highlights the importance of data security in the healthcare industry, particularly in states with large populations and high concentrations of healthcare organizations.
Number of healthcare hacking incidents by month
The graph provides insight into the frequency of healthcare data
breaches by month. September and May are the two months with the highest
number of breaches, while the other months are relatively consistent in
terms of the number of breaches reported.
However, it is important to note that the number of breaches reported each month may be influenced by a range of factors, including reporting cycles, security measures in place, and other external factors. Therefore, it is difficult to draw definitive conclusions about trends based solely on the number of breaches reported in a given month.
That being said, if we were to take the average number of breaches reported across all months, it appears to be around 20 attacks in a week. This underscores the ongoing threat that healthcare organizations face from data breaches and the importance of robust data security measures to protect patient information.
On what day of the week (Sunday, Monday, etc.) are breaches most often reported?
The graph provides insight into the frequency of healthcare data
breaches reported by day of the week. According to the data, Fridays
have the highest number of reported breaches, while Saturday and Sunday
have the fewest. This trend may be due to a range of factors, including
differences in reporting cycles or the timing of attacks.
However, it is also worth noting that the number of reported breaches may be influenced by factors such as when the organization chooses to report the breach, rather than the actual timing of the attack. It is possible that organizations may be more likely to report breaches on a Friday as it is the end of the workweek and may be seen as a natural reporting deadline.
Another interesting trend is that Monday through Thursday have a relatively even distribution of reported breaches, with nearly 300 attacks reported each day. This highlights the ongoing threat that healthcare organizations face from data breaches and the need for robust data security measures to protect patient information.
When there was a Business Associate Present was the Individuals Affected Higher or lower?
This indicates that when a business associate is present during the breach, there tends to be an average difference of 24,000 affected individuals compared to when a business associate is not present.
Does the type of breach have an impact on how many individuals are affected?
The chart being discussed displays the impact of different types of
breaches on the number of individuals affected. It is noted that
“hacking” has the highest impact in terms of the scale of the breach,
with an average of nearly 400,000 individuals affected. This suggests
that hacking is a particularly potent type of breach, with the potential
to expose large amounts of sensitive data to unauthorized individuals or
groups.
The chart also shows that the next highest impact type of breach is labeled as “unknown.” This raises questions and possibilities, such as investigating whether these “unknown” breaches are also a result of hacking or some other type of breach. Understanding the nature of these unknown breaches could help organizations better protect themselves and their customers against future data breaches.
It is further noted that all other types of breaches on the chart are on a lower scale than hacking, with the third largest type of breach being labeled as “Loss” and affecting almost 60,000 individuals on average. This suggests that while there are other types of breaches that can have significant impacts, none of them come close to the scale of hacking in terms of the number of individuals affected.
Conclusion
In conclusion, data breaches have become a significant concern for individuals and organizations in today’s interconnected world. The US Health and Human Services (HHS) maintains a public list of healthcare data breaches called the “Wall of Shame” as part of the Health Insurance Portability and Accountability Act (HIPAA) to promote the protection of patient privacy and their protected health information (PHI). By analyzing the breach data, it becomes clear that data breaches can have a devastating impact on organizations and individuals. The tables in this paper highlight the top states and covered entities affected by data breaches and the importance of maintaining data privacy and implementing strong security measures to prevent data breaches. Furthermore, the data highlights the need for improved data security measures across all types of entities that handle sensitive information, including business associates, who are responsible for a significant number of data breaches. By identifying the sources of data breaches, organizations can take steps to prevent them from happening in the future, thus reducing the risk of sensitive information being compromised.