Cyberattacks against healthcare have been growing at an alarming rate globally targeting the theft of clinical research intellectual property, personally identifiable information, and personal health information. Recent studies have also shown a concerning correlation between cyberattacks and patient morbidity and mortality rates. Many top security experts consider cyberattacks a top national security concern.This paper is a descriptive analysis of healthcare-related breaches in the United States in the past decade and an analysis of cybersecurity threats that are currently facing the industry.

Breach reports of unsecured protected health information affecting 500 or more individuals in the US are publicly accessible through the U.S. Department of Health and Human Services Office for Civil Rights portal. The database was downloaded and searched for all reported breaches occurring between January 1, 2011 - December 31, 2021. Breaches were subdivided by states, dates, location, entity type, and individuals affected.

Of the 3,822 PHI breaches recorded, 1,593 (41.7%) were hacking/IT related, 1,055 (27.6%) were listed as unknown, 819 (21.4%) were theft related, 194 (5.1%) were loss related, 97 (2.5%) were related to improper disposal and 64 (1.7%) were listed as “others.”

Breaches occurred within the main categories as follows: network server (957 [25%]), email (877 [23%]), paper/films (665 [17%]), other (454 [12%]), laptop (341 [9%]), desktop (309 [8%]), and electronic medical records (220 [6%]).

A total of 3,822 breaches affecting 283,335,803 people in the United States were recorded from January 1, 2011 to December 31, 2021.

The most reported breaches were from healthcare providers with 2,827 (75.1%) events, followed by health plans (500 [13.1%]), business associates (480 [12.6%]) and healthcare clearinghouses (10 [0.3%]). 4 (0.1%) breaches were from unknown sources.

This report may help healthcare providers understand the extent of the issue and mitigate some of the associated risks.