I was browsing the website of breaches reported to HHS today to see what types of breaches are a common trend, and what is being reported. I found some interesting statistics.

From January 1, 2009 to today, there were 1105 total breaches reported. 721 of those breaches reported to HHS were caused by theft. I’m not too surprised by this. Out of that 721 breaches, 292 were stolen laptops, 128 were stolen desktop computers, 148 were stolen paper/films.

Other Breaches Reported

155 were a hacking/IT incident, 54 were improper disposal, and 347 were unauthorized access/disclosure.

Out of the 1105 breaches, 770 of them were reported by a Healthcare Provider, while 4 were reported by a Healthcare Clearing House, and 118 were reported by a Health Plan. As required, all of these breaches involve more than 500 patients. A couple of the largest breaches were CareFirst BCBS of 1.1 million patients, Anthem which had 7.8 million and Premera BC with over 1.1 million to name a few. Most of the healthcare providers involved anywhere from 500 patients to 40,000 patients.

Not all breaches make it to the HHS wall of shame, and not all breaches need to be reported to HHS.

As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. These breaches are now posted in a new, more accessible format that allows users to search and sort the posted breaches. Additionally, this new format includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured protected health information to the Secretary. The following breaches have been reported to the Secretary:


You don’t want to make it to the wall. The worst thing you can do if you have a breach is NOT report it. That in itself is a violation. If you have a breach, report it asap. Don’t be the practice that tries to hide it. It will end up costing you later.