The Paubox HIPAA Breach Report for 2019 analyzed an entire year's worth of HIPAA breach reporting by the U.S. Department of Health & Human Services ( HHS). Results and takeaways from our findings are summarized in this post. As a recap, any breach that affects the protected health information (PHI) of 500 or people is required by law to submitted to HHS within 30 days.
How we compiled the data
Since 2017, we have published a monthly HIPAA Breach Report that covers the preceding month's reported breaches. We therefore began our 2019 data collection by starting with the Paubox HIPAA Breach Report for February 2019. We then compiled monthly data going all the way until the HIPAA Breach Report for January 2020.
Source DataThe full summary of HIPAA breach data for 2019 can be found here (Google Sheets).
We found two caveats in our reporting the reader should be aware of. First, although organizations are required by law to report a data breach within 30 days of discovering it, we found a number of companies took months (if not a year or more) to discover the breach itself. Therefore, it's hard to decisively determine which months are "hotter" breach months than others. Second, we normally compile our monthly Breach Reports during the second week of the following month. Due to the 30 day grace window by HHS, there is a chance some organizations may have reported a breach in the prior month after we compiled and published our monthly report. In that instance, they would not make our 2019 Annual Report for HIPAA Breaches. It should be noted however, the HHS site that maintains the breach data, otherwise known as the The Wall of Shame, does not hold data past 24 months. In the years to come, this report may become be the only source of HIPAA breach data for 2019.
There were 418 reported HIPAA breaches in 2019. In total, 34.9 million Americans had their protected health information breached. That represents roughly 10% of the US population in a single year of breaches. With the aforementioned caveats in mind, we chose to plot 2019 breach data by three categories:
- Breach volume by people affected
- Breach volume by threat vector
- Breaches by month
When it came to the sheer number of individuals affected, the Network Server category far and away led the field with 30.6 million Americans' PHI breached. The outlier of HIPAA breaches in 2019 was caused by a Business Associate. Taking at least eight months to discover, American Medical Collection Agency (AMCA) reported breaches that affected two of its customers and compromised 22.3 million individuals. The other statistic that jumped out was email. At 161 reported HIPAA breaches in 2019, Email had 39% of the total and nearly twice as many as its closest "rival."