Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the health care industry.

The data collected by HHS concerning breaches affecting 500 or more individuals within the last 24 months, as of November 20, 2017, shows hacking/IT incidents surpassed unauthorized access or disclosure as the most common forms of data breach in the health sector.


The percentage of reported breaches caused by unauthorized access or disclosure.2


The percentage of reported breaches caused by improper disposal and loss.3


The percentage of reported breaches caused by theft of hardware of all types.4


The percentage of reported breaches caused by hacking/IT incidents.5

Things to consider when reviewing your information security program in light of HHS data:

  1. Conduct regular risk assessments;
  2. Have a formal incident response plan in place;
  3. Encrypt data and hardware, such as servers, network end points, mobile and medical devices;
  4. Educate employees about HIPAA;
  5. Implement different access levels for employees’ access to PHI based on their job duties;
  6. Immediately stop access to PHI by terminated employees and escort them if necessary;
  7. Require a two-step verification process to ensure that mail and email recipients’ information is correct before sending invoices or appointment reminders;
  8. Transition from paper records to secure, encrypted computer databases;
  9. Shred paper records when no longer needed;
  10. Prevent break-ins by implementing physical safeguards such as security alarms, security guards, and locks on windows and doors.