27M people affected by health data breaches in 2019

More than 27 million people were affected by breaches of private health information (PHI) in 2019, according to a new report from Bitglass.

The sixth annual Healthcare Breach Report from Bitglass, a next-gen cloud security company, looked at data from HHS’ “Walla of Shame,” which is a database that include protected health information (PHI) from breaches that affected more than 27 million people.

The report revealed that the total number of records breached has more than doubled annually, from 4.7 million records in 2017 to 11.5 million in 2018 and up to 27.5 million in 2019.

The increase in record breaches is mirrored in other studies, though the counts can be much higher. For example, another recent report from Protenus found more than 41 million patient records were breached last year­­––up 48.6% from 2018.

Furthermore, the average number of individuals affected per breach also nearly doubled from 2018 to 2019––39,739 to 71,3111, respectively.

The report divided the breaches into four categories, including: hacking and IT incidents; unauthorized access or disclosure; loos or theft; and other. Hacking and IT incidents were the top cause of breaches in 2019, accounting for 60.6% of breaches. That’s up from 45.8% of the total in 2018. In 2019, nearly 24 million people were affected by healthcare breaches from hacking and IT incidents, according to the report. All other incidents made up the remaining 3.6 million people affected.


“This means that failing to protect data in IT environments can enable breaches of particularly large scales,” the report reads.

Fortunately, lost and stolen devices are accounting for “fewer and fewer breaches each year,” according to the report, with just 42 incidents in 2019 compared to 148 in 2018.

2019 also held a couple breaches that impacted a significant number of patients, including the Douglas Country Hospital DBA Alomere Health breach that hit more than 10.2 million patients. Texas was also a high target for hacking and IT incidents, and the state had the highest number of breaches last year at 47. That’s nearly double the 25 incidents seen in California, the second-highest breach state. Texas was impacted by 15 separate breaches of Texas Health Resources, where 369,614 patients were impacted.

The increase in PHI breaches should be of major concern to healthcare providers and business associates, especially because these incidents can really cost an organization. The cost per record for a healthcare breach was $429 in 2019, according to the Ponemon Institute.