Breach of Unsecured Protected Health Information
kcin999
2023-02-27
What is the Unsecured Protected Health Information Dataset?
Required by the 13402(e)(4) section of the HITECH Act, the United States Department of Health and Human Services must post any breaches of unsecured health information affecting 500 individuals or more.
The data range that this report details is from October 21, 2009 through March 12, 2018. More information can be found here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
The data reported includes the following:
| Name | Description |
|---|---|
| Name of Covered Entity | Organization responsible for the patient health information |
| State | US State where the breach was reported |
| Covered Entity Type | Type of organization responsible for the patient health information |
| Individuals Affected | Number of records affected by the breach |
| Breach Submission Date | Date the breach was reported by the covered entity |
| Type of Breach | How unauthorized access to the patient health information was obtained |
| Location of Breached Information | Where was the patient health information when unauthorized access was obtained |
| Business Associate Present | Was a business associate such as a consultant or contractor involved in the breach |
| Web Description | A optional statement explaining what happened and the resolution |
Throughout this report, you will see me identify a breach as preventable. I have elected to classify a breach as preventable if it was caused by improper_disposal, loss, or unauthorized access, as I believe that those can be prevented with proper training and supervision.
2009 and 2018 are not complete years, and have been excluded from this dataset.
Summary Statistics
Examining each year, we begin to see a different picture being shaped as it comes to not only the types of breaches, but also the total number of people affected in these breaches.
Following are some statistics between 2010 and 2017 describing key statistics for each year.| Year | Average People Affected | Total People Affected | Number Of Breaches | Number of Preventable Breaches | Number of Breaches With Associate Present |
|---|---|---|---|---|---|
| 2010 | 29,957.11 | 5,931,508 | 198 | 30 | 45 |
| 2011 | 67,435.78 | 13,149,977 | 195 | 52 | 45 |
| 2012 | 13,642.68 | 2,837,677 | 208 | 59 | 37 |
| 2013 | 25,952.67 | 7,007,220 | 270 | 97 | 67 |
| 2014 | 28,660.70 | 8,139,638 | 284 | 125 | 70 |
| 2015 | 404,760.64 | 80,142,606 | 198 | 103 | 26 |
| 2016 | 26,279.09 | 6,096,750 | 232 | 108 | 51 |
| 2017 | 7,699.81 | 808,480 | 105 | 52 | 9 |
As a result of this, we see the following differences: * 2015 had the highest average people affected per breach at 404,761, while 2017 had only 7,700 people affected per breach * 2014 had the highest total people affected at 80,142,606, while 2017 had the lowest at 808,480 people affected. * 2013 had the most breaches at 270, while 2017 had the least breaches at 105. * 2014 had the most preventable breaches at 125, where as 2010 had the least at 30 preventable breaches. * 2014 had the most breaches with an associate present at 70 breaches, while 2017 had 9.
Healthcare Breaches
In the following section, we will focus on various trends as it
relates to Healthcare Data Breaches ### Number of Healthcare Data
Breaches By Year Often, people care more about their health records
remaining private, rather than other forms of protected personal
information. Similarly to the summary statistics, we are able to see the
health care breaches by year. 
Both 2014 and 2016 come in at the top with the most total breaches for
each year, while 2017 has the fewest total breaches. Up through 2015, we
saw an overall rise in the total number of breaches each year, but in
both 2015 and 2017 we see significant drops in the total number of
breaches, possibly indicating an increase in training and protection on
protected information.
Total Healthcare Records Exposed by State (Top 10 States)
While it is important to know the trend in total number of breaches each year, it is arguably more important to know the total numbers of individuals affected in these breaches.
In the following chart, the total number of individuals affected for
the top 10 states is shown. 
As we can see, Indiana has had the most individuals affected by the
breaches. From 2010 to 2017, there were nearly 80,000,000 exposed
records. The second highest is Florida, at just over 6,000,000 records
exposed. This jump is quite extraordinary over the same time period.
Number of Healthcare Hacking Incidents by Month
What is the number of breaches fluctuated with a specific month or certain months were more likely to be attacked during? Could an covered entity increase their security and training during these times?
The following chart aims to answer that question: 
Within this chart, we are able to see that both April and December have
the highest total number of breaches, while February and November have
the lowest total. These could be due to a number of reasons,
including:
- More injuries happening due to cold and ice, causing more opportunities for data exposure and accidental data leaks.
- Individuals wanting to take full advantage of their health insurance deductible, again causing more opportunities for data exposure.
Top 25 Healthcare Data Breaches
Understanding trends across years, months and states is important, but are there certain companies that should be avoided as they are at risk more often than others or expose a greater amount of protected information?| Name of Covered Entity | Individuals Affected | Breach Submission Date |
|---|---|---|
| Anthem, Inc. Affiliated Covered Entity | 78,800,000 | 2015-03-13 |
| Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group | 4,029,530 | 2013-08-23 |
| 21st Century Oncology | 2,213,597 | 2016-03-04 |
| AvMed, Inc. | 1,220,000 | 2010-06-03 |
| Montana Department of Public Health & Human Services | 1,062,509 | 2014-07-07 |
| The Nemours Foundation | 1,055,489 | 2011-10-07 |
| BlueCross BlueShield of Tennessee, Inc. | 1,023,209 | 2010-11-01 |
| Sutter Medical Foundation | 943,434 | 2011-11-17 |
| Valley Anesthesiology Consultants, Inc. d/b/a Valley Anesthesiology and Pain Consultants | 882,590 | 2016-08-12 |
| AHMC Healthcare Inc. and affiliated Hospitals | 729,000 | 2013-10-25 |
| EISENHOWER MEDICAL CENTER | 514,330 | 2011-03-30 |
| Radiology Regional Center, PA | 483,063 | 2016-02-12 |
| Puerto Rico Department of Health - Triple S Management Corp. | 475,000 | 2010-11-04 |
| St Joseph Health System | 405,000 | 2014-02-05 |
| Spartanburg Regional Healthcare System | 400,000 | 2011-05-27 |
| Triple-S Salud, Inc. - Breach Case#2 | 398,000 | 2014-01-24 |
| Triple-S Salud, Inc. | 398,000 | 2010-11-18 |
| Community Health Plan of Washington | 381,504 | 2016-12-21 |
| Affinity Health Plan, Inc. | 344,579 | 2010-04-14 |
| Emory Healthcare | 315,000 | 2012-04-18 |
| Touchstone Medical Imaging, LLC | 307,528 | 2014-10-03 |
| Central Ohio Urology Group, Inc. | 300,000 | 2016-09-23 |
| Seacoast Radiology, PA | 231,400 | 2011-01-10 |
| South Carolina Department of Health and Human Services | 228,435 | 2012-04-24 |
| Indian Health Service | 214,000 | 2014-04-01 |
As we can see, “Anthem, Inc. Affiliated Covered Entity”, had a large breach of nearly 78,800,000 individuals being exposed in one particular breach in 2015. This is concerning as this is more than California’s (39.24 million) and Florida’s (21.78 million) populations combined! It is nearly a quarter (24.103%) of the United States Population, and should attract some attention.
All Breaches
There is another category of covered entities, called the ‘Business Associates’. All this category back in and examining all breaches from 2010 to 2017.
Number of Breaches By Covered Entity
Other than just healthcare provider entities, there are a number of entities that are required to report any data breaches.
Following is a list of those entities and the total number of breaches:| Covered Entity Type | Number of Breaches |
|---|---|
| Business Associate | 282 |
| Health Plan | 199 |
| Healthcare Clearing House | 4 |
| Healthcare Provider | 1,205 |
The first part of the report has been primarily focused on health care institutions. But as we can see, Healthcare Providers rank first in the total number of breaches, with Business Associates coming in second. The Healthcare Clearing House is relatively minimal as it comes to the total number of breaches.
On What Day of the Week (Sunday, Monday, etc.) are Breaches Most Often Reported?
Knowing if there is a trend on when companies decide to report their
incidents, could give consumers a better idea of when information
regarding breaches may become public information. 
Now, I will be fully honest, I am not quite sure why this trend exists.
I recognize that the work week is why Monday through Friday is
heightened, but why Friday is such a large peak is beyond me.
It may be due to entities working through the breach and security issue during the week before they report the breach. It could be due to the heightened attention of various tasks to make sure that items are prepared and secure before heading into the weekend. It could be due to the company’s hoping that individuals will not be paying as much attention. Or quite honestly, it could be due to coincidence. Either way, it is still an interesting trend that a significant amount of breaches are reported on Fridays.
In which year (or years) were there at least 50 breaches from a ‘Business Associate’ covered entity type and at least 150 breaches from a healthcare provider covered entity type?
Years that have a high number of breaches across multiple industries may suggest that bad actors had found easier ways to get into certain systems, or where extra intent on causing some mayhem.
Searching for years in which there were 50 business associate breaches and 150 breaches from a healthcare provider shows an interesting picture:| Year | Number of Breaches Business Associate | Number of Breaches Healthcare Provider |
|---|---|---|
| 2013 | 64 | 187 |
| 2014 | 67 | 179 |
As we can see, 2013 and 2014 both shared a similar trend of 50 business associate breaches and 150 healthcare provider breaches. This fits with our first visualization of Number of Breaches By Year, in which 2013 and 2014 both had a high number healthcare breaches
How has the type of breach (hacking, improper disposal, loss, etc.) changed for each year?
Year after year, we see the attack landscape for companies change.
They adapt, implement new tools and software, or even change some of
their physical infrastructure. Has this type of breaches been affected
by this year after year? 
From 2009 to 2014, we see a large trend of theft causing the largest
amount of data breaches. While this trend maintained, unauthorized
access steadily climbed until 2015. After 2015, unauthorized access took
over and caused the most number of breaches, while theft gradually
trended downwards. This could imply that companies put in physical
security measures in order to deal with the theft, but now
cyber-security measures, as well as employee training need to have a
higher focus in order to continue reducing breaches.
What was the overall trend related to the location of the breach?
In addition to their being an overall change in types of breach, as
seen above, I wanted to explore if there was an overall trend in the
location of the breach by year, whether that was a physical or virtual
location. 
As the world turns more and more digital, we begin to see a different
trend as it comes to location of the breaches. For 2015 and 2016,
Paper/Films was the largest location, where as for 2010, 2012, and 2013,
laptops were the largest location. As companies increase their overall
digital security, older measures like Paper and Films are falling
through the cracks and are causing a large number of breaches.
Did having a business associate present change the number of people affected and did this trend last by year?
Having a business associate present at the time of the breach may
have had an impact on the total number of people affected. The business
associate may have detected the breach sooner or was able to enact some
defensive measures to limit the damage, if it was in-fact irreversible.
With the exception of 2011 and 2014, we do see a trend where that when a
business associate is present, there are less individuals affected.
Further, as we move through the years, we see that gap between
individuals affected whether an associate was present increases. That
leads me to an possible conclusion that associates are becoming more
well trained, thus limiting the overall number of individuals
affected.