The healthcare industry suffered its worst year to date for data breaches in 2015. The Department of Health and Human Services Office for Civil Rights (“OCR”), which tracks healthcare breaches that affect 500 or more individuals, reported that 255 breaches occurred between January 1, 2015 and December 31, 2015. Combined, a staggering 112 million records were impacted.

However, what makes 2015 unique is not the frequency of the healthcare data breaches but their size. Each of 2015’s largest three breaches eclipsed the size of any healthcare data breach that occurred in either 2013 or 2014 by at least 5 million affected records. Together, those largest three breaches accounted for over 80% of all healthcare records impacted by a breach in 2015.

But, while the size of individual data breaches increased in 2015, their frequency did not. In fact, according to the OCR’s website, the overall number of healthcare data breaches involving 500 or more individuals was down in 2015 when compared with the 287 breaches that occurred in 2014 or the 268 breaches that occurred in 2013.

Still, the healthcare industry should be prepared for more large scale attacks in 2016 and possible changes to the way the government approaches breaches. Healthcare data continues to be extremely valuable to cybercriminals. In the wrong hands, it can provide access to medical treatment or prescription medications that can be resold to third parties. It also includes valuable information like social security numbers that can be used for identity theft and fraud. Recognizing this continuing problem, Congress recently passed legislation directed at cybersecurity in the healthcare industry, which may signal that change is on the horizon.