ITRC Issues 2014 Data Breach Report

The Identity Theft Resource Center has issued its 2014 data breach report which paints a worrying picture for the healthcare industry. Healthcare data breaches accounted for 42.3% of all recorded breaches for the entire year. A record 322 security breaches were reported for the year, exposing more than 8 million Americans private and confidential information.

The landscape has certainly changed and the healthcare industry must make changes too. Without major updates to security measures to protect the privacy of patient data, 2015 is likely to see this year’s record totals smashed again.

Last year saw some of the largest data breaches ever recorded, with the Community Health Systems data breach exposing an estimated 4.5 million patient records. No medical data was lost, but Social Security numbers were exposed in the incident.

The figures in the 2014 data breach report are swelled by major security incidents at numerous healthcare providers and their Business Associates: Sutherland Healthcare Solutions, Connecticut Community Health Center, St Joseph Health System and Touchstone Medical Imaging all reported data breaches that exposed more than 100,000 records each. Even government and state departments are not immune to HIPAA breaches. In 2014 the Montana State Department of Public Health and Human Services was targeted by hackers who obtained protected records of 1.3 million individuals. The Indiana Health Service Also suffered a major security breach which exposed over 200,000 records.

2014 was a year that saw the OCR take action against offenders, and heavy fines have been issued for non-compliance with HIPAA Privacy and Security Rules. New York-Presbyterian Hospital and Columbia University arrived at a settlement with the Office for Civil Rights for $4.8 million for potential HIPAA violations. This was the highest ever settlement that has been reached with the OCR. Concentra Health Services was another loser, having been ordered to pay $1,725,220 for the HIPAA breach it suffered.

Data from the Ponemon Institute suggests that fines are not the only costs that have to be covered. In its 2014 Cost of Data Breach Study: Global Analysis report it estimated that the overall cost of data breaches to the healthcare industry is in excess of $5.6 billion, while the average data breach costs the industry $3.5 million.

The 2014 data breach report shows the financial sector in second place, which was responsible for 32.7% of the data breaches for the year. The sector registered a staggering 79 million exposed records, in large part due to the cyberattack on Home Depot.

The total number of breaches reported for the year was 761. The total number of victims from 2014 data breaches is listed as having reached 83,176,279 individuals.

The coming year looks likely to see data breach trends continue, with the healthcare industry posing such an attractive target to cybercriminals. Unless big changes are made and healthcare organizations start investing more heavily in data security, we are likely to see large scale data breaches with increasing regularity.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of