Most 2021 breaches stemmed from hacking, IT incidents

The largest breach of the year affected an estimated 3.5 million people who applied for or enrolled in coverage from Florida Healthy Kids, the not-for-profit company that operates the state’s Children’s Health Insurance Program. Florida Healthy Kids discovered the hack in December 2020 and reported it to HHS in January 2021.

Healthcare entities governed by the Health Insurance Portability and Accountability Act must disclose breaches within 60 days of discovering them, meaning some of the incidents reported to OCR in 2021 may have occurred in 2020 or even earlier. The data posted to the Office for Civil Rights portal as of Wednesday likely don’t include incidents covered entities detected in December 2021.

Download Modern Healthcare’s app to stay informed when industry news breaks.

Hacking and IT incidents are to blame for a growing proportion of healthcare breaches each year, the HHS data show. Hacking and IT incidents accounted for 68.6% of breaches reported in 2020, 61.1% in 2019, 45% in 2018, 41.3% in 2017 and 35% in 2016.

Security and patient-safety experts have cited cyberattacks as a critical safety issue that can increase patients’ length of stay and delay care. Safety and quality organization ECRI named cyberattacks the top health technology hazard in a report published Tuesday. These events can significantly disrupt hospital operations and patient care, the ECRI study says.

The second-largest driver of breaches after hacking and IT incidents in 2021 was unauthorized access and disclosure, which accounted for 20.6% of the year’s breaches. There were 3.4% of breaches attributed to theft, 1.4% attributed to loss and 0.7% attributed to improper disposal.