What are the HIPAA Data Breach Trends?

by Deborah Alexander, Director on October 13, 2021


data breach


What has the Health and Human Services (HHS) Office for Civil Rights (OCR) been up to these days, given the continual cyber threats being experienced? OCR currently maintains a database of closed and open investigations underway, which is easily downloadable to review for trends.

In reviewing the resolved data breaches vs. breaches currently under investigation reported on the OCR website, there appear to be some common trends. Keep in mind, the current data breaches posted by OCR include only breaches impacting 500 or more individuals and the data presented here does represent all data breaches reported to OCR for investigation. Here are some of the trends that were pulled from the OCR website.

OCR Closed Breach Investigation Trends 2019 – 2021 YTD:

  • Hacking/IT Incidents account for 505 total breaches or 61% of the closed investigations during this time period.
  • Improper Disposal, Loss, and Theft accounts for 96 total breaches or 12 % of closed investigations.
  • Unauthorized Access/Disclosure accounts for 221total breaches or 27% of closed investigations.
  • Business Associates were involved in 299 breaches or 36% of the closed investigations with 220 or 74% of the breaches falling into the Hacking/IT Incident data breach.


Closed Brach Investigations

Data Breaches Currently Under Investigation Trends 2019 – 2021 YTD:

  • Hacking/IT Incidents continue to rise with 620 breaches accounting for 74% of the current investigations of data breaches during this time period.
  • Improper Disposal, Loss, and Theft account for 55 breaches or 6% of the current investigations.
  • Unauthorized Access/Disclosure is trending upward to 166 breaches under current investigations during this time period and accounting for almost 20% of the current investigations.


Open Data Breach Investigations

What are the Key Takeaways or Next Steps?

  • The obvious trend is the increase in hacking/IT incidents. If your organization has not conducted a HIPAA Security Risk Assessment (SRA) or Penetration testing, your data may be at risk.
  • Unauthorized access/disclosures risks are required to be addressed in the HIPAA Privacy and Security Rules. Access controls fall within the HIPAA Security Rule within the addressable elements of Workforce Security, Information Access Management, and Security Awareness Training. Disclosures are addressed within the HIPAA Privacy Rule.
    If your organization has not conducted HIPAA training, you are out of compliance with HIPAA regulations and may be out of compliance with specific HIPAA liability coverages. Some liability carriers are pushing back on covering organizations when a data breach has occurred due to non-compliance with conducting SRAs.
  • Improper disposal, loss, and theft investigations remain a focus with OCR. Obviously, this is a challenging risk to mitigate, in particular, theft. This risk would trigger a SRA as a threat or vulnerability. Your organization may have a vulnerability by lacking the ability to “wipe” a device if lost or stolen, which would trigger a SRA to be conducted. A threat could be not having a policy in place on storing devices when traveling, for example, being required to place all devices containing ePHI in a locked car trunk.

Not sure where to start with conducting a SRA, contact LW Consulting, Inc.’s (LWCI) HIPAA Security consultants. Keep in mind grant funding may be available to assist with conducting a SRA and identifying IT Infrastructure needs for your organizations. LWCI offers our HIPAA SP3: Security Policies and Procedures Package on our LWCI Learning Center or we can set up a time to discuss your needs.


To learn more about how LWCI can help you, set up a 15-minute discussion with one of our experts, Deborah Alexander, Director, CHC, CHPC, PMP, DPT, MED, STC, CSCS.

Start a conversation

Topics: Compliance, Healthcare IT