Health data breaches have hit 30 million patients since ’09, feds say

In the five years since federal officials began tracking health data breaches, more than 30 million patients have had their personal information compromised (Source: “Health care data breaches have hit 30M patients and counting,” Washington Post, Aug. 19, 2014).

The 2009 HITECH Act required that the U.S. Department of Health and Human Services create a database of major breach reports (those affecting 500 people or more). To date, HHS has tracked 944 incidents affecting personal information from about 30.1 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access to accounts (1.9 million people), according to a Washington Post analysis of HHS data.

There are also many more incidents of smaller-scale breaches. In 2012, for example, HHS received 21,194 reports of smaller breaches affecting 165,135 people, according to the department's most recent report to Congress. Similar numbers were reported in 2011. In all, data breaches cost the industry $5.6 billion each year, estimates the Ponemon Institute, a security firm.