According to a new report by the HIPAA Journal, the first three months of 2018 have seen 77 healthcare data breaches. The breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), have impacted more than one million patients and and health plan members.

 Photo by  rawpixel

Photo by rawpixel

This number is twice the number of individuals impacted by healthcare data breaches in Q4 of 2017. Between January 1 and March 31, 2018, 1,073,766 individuals had their Patient Health Information (PHI) exposed, viewed, or stolen compared to 520,141 individuals in Q4, 2017.

Throughout 2017, healthcare data breaches occurred at a rate of more than one per day. Compared to 2017, January saw less than one incident per day. However, January also saw the largest healthcare data breach of the quarter making it the worst month in terms of number of records exposed. By March, breaches increased to the typical rate of one per day.

The report indicated that the healthcare industry differs from all others in its main causes of data breaches. In other industries, hacking/IT incidents dominate the breach reports; however, the healthcare industry is unique as insiders cause the most data breaches.

Unauthorized access/disclosure incidents, loss of physical records and devices containing ePHI, and improper disposal incidents accounted for 59.74% of the 77 breaches reported in Q1.

Though these incidents were more numerous, hacking/IT incidents accounted for a greater number of exposed records than all other types of breaches combined.

Interestingly, although healthcare security teams remain focused on securing their networks and preventing the theft of electronic health records, physical records were the top location of PHI in Q1. Email attacks (social engineering, phishing, etc.) were the second most common location of breached PHI followed by network servers.

The two largest breaches of the year to date affected Oklahoma State University Center for Health Sciences and St. Peter’s Surgery & Endoscopy Center. 

Healthcare organizations in 35 states reported breaches of more than 500 records. The worst affected state, with 11 reported breaches, was California, followed by Massachusetts with 8 security incidents.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.