Most 2021 breaches stemmed from hacking, IT incidents

Nearly three-quarters of healthcare data breaches reported to the federal government last year were attributed to hacking or information-technology incidents, according to a review of the latest data from the Health and Human Services Department's Office for Civil Rights.

As of Wednesday, the agency lists 712 breach reports that healthcare providers, insurers and their business associates submitted to the agency in 2021. These incidents affected more than 45 million patients. Last year's tally was the highest since the Office for Civil Rights debuted its breach portal in 2010; the previous record was 663 in 2020.

Hacking and IT incidents, which can include everything from cybercriminals intruding into computer systems to organizations accidentally misconfiguring their cloud servers, accounted for 73.9% of 2021's breaches with 526 incidents.

All of the 10 largest breaches reported in 2021—each of which included data on at least 1 million patients—stemmed from cybercriminals infiltrating network servers or email systems.

The largest breach of the year affected an estimated 3.5 million people who applied for or enrolled in coverage from Florida Healthy Kids, the not-for-profit company that operates the state's Children's Health Insurance Program. Florida Healthy Kids discovered the hack in December 2020 and reported it to HHS in January 2021.

Healthcare entities governed by the Health Insurance Portability and Accountability Act must disclose breaches within 60 days of discovering them, meaning some of the incidents reported to OCR in 2021 may have occurred in 2020 or even earlier. The data posted to the Office for Civil Rights portal as of Wednesday likely don't include incidents covered entities detected in December 2021.

Download Modern Healthcare’s app to stay informed when industry news breaks.

Hacking and IT incidents are to blame for a growing proportion of healthcare breaches each year, the HHS data show. Hacking and IT incidents accounted for 68.6% of breaches reported in 2020, 61.1% in 2019, 45% in 2018, 41.3% in 2017 and 35% in 2016.

Security and patient-safety experts have cited cyberattacks as a critical safety issue that can increase patients' length of stay and delay care. Safety and quality organization ECRI named cyberattacks the top health technology hazard in a report published Tuesday. These events can significantly disrupt hospital operations and patient care, the ECRI study says.

The second-largest driver of breaches after hacking and IT incidents in 2021 was unauthorized access and disclosure, which accounted for 20.6% of the year's breaches. There were 3.4% of breaches attributed to theft, 1.4% attributed to loss and 0.7% attributed to improper disposal.