Number of data breaches continues to rise

Reports of breaches of federally-protected electronic health data have steadily increased in recent years. But the government’s ability to investigate and mete out penalties for them has not kept pace.

Those findings were part of the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) 2021 annual report submitted to Congress Tuesday. OCR is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), the 1996 law that prohibits patient health information from being disclosed without the patient's consent or knowledge.

The report found that between 2017 and 2021 the number of HIPAA-related complaints OCR received increased by 39%, from 24,506 to 34,077, while the number of reported data breaches grew by 57%, from 60,707 to 64,180. The number of breaches affecting more than 500 individuals rose by 5%, while those affecting fewer than 500 grew by a whopping 58%.

The trends contained some more hopeful news for the most recent years covered by the report. From 2020 to 2021 reports of breaches affecting fewer than 500 individuals decreased by 4% to 63,571, while those affecting more than 500 individuals fell by 7% to 609. On the other hand, OCR received 25% more complaints in 2021 as compared to 2020.

OCR completed 573 compliance reviews in 2021 and required the entities it reviewed to take corrective action or pay a fine in 475, or 83% of them. Resolution of two of the reviews included fines totaling more than $5.1 million.

According to the report, the OCR saw no increase in its funding appropriations from 2017 to 2021. Moreover, a 2019 regulatory change reduced the maximum annual cap for three of the four financial penalty tiers OCR could levy for HIPAA violations.

“These factors have combined to cause a severe strain on OCR’s limited staff resources,” the report states. As a result, OCR was forced to limit its HIPAA enforcement activities at a time when the health care sector was experiencing substantial growth in cybersecurity attacks.

In a separate report, OCR provided more details about the 609 breaches involving more than 500 individuals it investigated in 2021. It found that hacking of electronic equipment or a network server accounted for 75% of them, and affected 95% of all those affected by breaches of any kind. The others were:

• Unauthorized access or disclosure of records containing personal health information (PHI): 19%,
• Theft of electronic equipment/portable devices containing PHI: 3%,
• Loss of electronic media or paper records containing PHI 1%, and
• Improper disposal of PHI: 1%

Health care providers accounted for 66% of the entity types where breach reports originated, followed by business associates (26%), health plans (9%), and health care clearinghouses (1%).