Did you know that in the United States, the HITECH Act requires the Secretary of Health & Human Services to post a list of breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals?   A secret to some, a “wall of shame” to others, and to a few: interesting patterns and analytics.

I wanted to look at the trends related to breached PHI since 2010.  I ran an analysis against all types of breached data, ranging from physical theft to accidental disclosures to cyber incidents and found some interesting patterns.  Are we getting better at protecting sensitive data?  Are we getting worse? Or, are we about the same?

Between the years 2010 and 2014, US breached PHI records fluctuated consistently between 6 million and 12 million individual’s records per year, very consistently spiking every other year.  These are not good numbers, but they consistently alternate from small(er) to large(r). But, then in 2015… BAM!… 110 million additional breached PHI records (from just five large breaches: 79 million records; 11 million records; 10 million records; 4.5 million records; and 3.9 million records). Otherwise, the trend would have shown a significant decline to just 3 million records.  That number (3 million records) would have been the lowest number of breached PHI since 2009 – believe it or not.

Alas, 2015 was a very very bad year for PHI with a whopping 113,267,174 breached records.


Curious, I reran the analysis to illustrate the pattern, minus the 5 large volume breach events.  Although fantasy, I wanted to see what the trend might have been without the five biggies.   And, viola. There’s that sawtooth again (up, down, up, down).

2016 was another terrible year for PHI breached records, at 16.7 million records.

But here’s some good news, 2017 yielded the lowest number of breached PHI records since 2009 at 5,138,179 records according to the US Department of Health & Human Services (HHS).  Although the number of hacker/security incidents increased dramatically from 2015 to 2017, the number of breached PHI records (as reported to HHS) is indeed declining.

This offset is likely due to PHI handlers implementing improved data encryption solutions as well as more effective data management practices.  While hacking incidents is expected to increase in 2018, the trend on breached PHI records is looking promising thus far.

Q1 2018

In the first three months of 2018, the number of breached PHI records was 573,527. If the remainder of the year continues on the current trend, then we may see an all-time low in the number of breached PHI records at 2.2 millions records.

More optimistically, 2017 saw about one-third the breached PHI records compared to 2016. Perhaps, we will find that 2018 will net less than one-third the count from 2017 (something around 1.6 million).  I’m going to make a prediction that the total PHI breached records count for 2018 will be 1.6 million.  I guess, by next January we’ll know how that turned out.

While we all aim for zero, it’s really encouraging to see the sawtooth pattern going away, and the annual totals beginning to steadily decline.

If you work in the healthcare space or manage PHI data, then stay tuned for my part 2 of this article – where I will go into detail on the things you can do to reduce your risk of data breach (PHI, or other sensitive data).

Till next time,