by adgrooms on December 17, 2019

We are currently working on a healthcare data breach report, visualizing and analyzing reported breaches from the last ten years. In each blog post, we are releasing a piece of the report which will ultimately be available in one PDF file. The first two posts have focused on the number of individuals whose personal health information has been compromised. This post focuses on the different healthcare entities that have reported breaches. Patient health information is sometimes stored by and distributed between multiple entities. Are some more vulnerable?

There are four types of entities that handle patient health information.

  • Healthcare Providers: Doctors; Clinics; Psychologists; Dentists; Chiropractors; Nursing Homes; Pharmacies
  • Business Associates: Businesses that the provider relies on to perform certain business functions that use PHI. These services include legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
  • Health Plans: Health insurance companies; HMOs; Company health plans; Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
  • Healthcare Clearinghouses: This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. This includes: including billing services, repricing companies, community health management information systems or community health information systems, and "value-added" networks and switches.

Breaches affect different types of healthcare entities more than others. Looking at the numbers, we can see the variations between them. Providers had the greatest number at 2182 total over 10 years while clearinghouses only had 6.

Number of Incidents per Entity Type

However, based on the number of individuals affected, health plan breaches have the biggest impact with totals approaching 125 million individuals, close to the total of the other three entities combined. Providers are the second most affected, with business associates close behind. Clearinghouses have a noticeably low number of individuals affected compared to the other entities.

Number of Individuals Impacted per Entity Typed

And we see yet another perspective when we look at the ratio of individuals affected per incident in the following chart. Health plan breaches affect more individuals per incident. A possible explanation is that they warehouse much larger amounts of data than other entity types. The 5 largest insurers control more than 38% of the market. This could make them a prime target for hackers. If hackers are going to put in time breaking into data, they want the payoff to be worth it. Healthcare providers house far fewer records per institution overall. While there are large hospitals, there a many smaller institutions where breaches may be more likely to result from hardware theft yielding smaller amounts of data. Clearinghouses also had a high ratio of people affected. In the other views, they appeared to be a low-risk target but again based on their high volume of data, fewer incidents have a larger impact. Based on this data it is hard to discern if they are an overlooked target, or have strong security measures in place.

Ratio of Individuals Impacted to Incident by Entity Type

In future posts, we will be discussing what we can know and cannot know from the breach data and looking into the costs associated with data breaches.