HIPAA Breach Statistics

I recently came across a great blog post by Danika Brinda on the TriPoint Healthcare Solutions blog that looked at the HIPAA Breach statistics. I guess Danika is a nerd like me and enjoys looking at the HIPAA breach statistics. Here’s some of her high level findings from the latest HHS reports:

  • A total of 1,293 Data Breaches have been reported since September 2009
  • Paper is still the #1 location (media type) of data breaches – 23% of total breaches involving greater than 500 individuals
  • Theft and Loss make up 59% of types of data breaches
  • Data hacking only makes up 10% of all data breaches where greater than 500 individuals were impacted
  • Business Associates are responsible for 22% of data breaches greater than 500 individuals

You can go check out her blog post for other findings and a number of charts using the data.

I think the stats above paint a very different picture than what most would expect. Many like to pretend that somehow breaches weren’t really an issue on paper. The stats above definitely say otherwise. I was also shocked that 59% of breaches were from theft of loss. Although, I wonder if more of those are reported, because it’s not as shameful to have something stolen from you as maybe some other violation which illustrates your negligence.

What wasn’t surprising to me was the increase in business associates that were responsible for the breach. I believe that number will continue to increase and increase dramatically. Many healthcare organizations don’t have a good grip on the HIPAA compliance of their business associates and I think they’re going to get blind sided by breaches.

What do you think of this data? Anything stand out to you?

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • Compare paper/film breaches to EHR breaches with regard to the number of individuals involved.

    paper/films 2,260,171
    EHR 6,807,956
    Three times as many individuals involved with EHR compared to paper.

    Wouldn’t this be a more important number to ponder?

  • SGC,
    Good catch. I’ve pointed that out in many previous articles. Technology often limits the number of incidents, but it also makes it really easy for the incidents that do occur to be much larger.

  • John – thanks so much for sharing my article! The statistics are definitely something to continue to evaluate and look at as more data breaches continue to occur! My hope is some day they will produce the information on the under 500 individuals data breaches so we can look into those as well!

    Definitely great to point out that the number of individuals impacted by data breaches is more with a EHR that it is on paper or film; however, it is still surprising that there is such a high number of data breaches that still occur on paper. The stats can be sliced and diced in many different ways. I think all aspects of the data is interesting numbers to ponder and evaluate how they are impacting our healthcare environment and how we are protecting patient data overall!



  • Danika,
    I don’t see any reason why they shouldn’t have the under 500 reported as well. I’d be fine with it being reported without even disclosing the specific institution. It would give us a lot of insight into how bad the security and privacy problems in healthcare really are.

    What’s amazing to me is that there were more paper breaches than electronic and we’re talking about over 500 individuals. That’s a high standard for paper.

Click here to post a comment