Healthcare Data Breaches and Complaints Reach Record Highs
The Department of Health and Human Services’ Office for Civil Rights reported to Congress this week that the number of major health data breaches and HIPAA complaints is on the rise, putting a strain on the agency’s ability to keep up with its regulatory duties. Despite the increasing workload, the agency lacks the necessary funding to address the surge in reported breaches and complaints.
In its reports to Congress, the Office for Civil Rights highlighted a 17% increase in HIPAA complaints and a 107% increase in reported breaches affecting 500 or more individuals from 2018 to 2022. These breaches affected a total of approximately 41.7 million individuals, with hacking incidents being the most commonly reported type of breach.
The agency received 626 notifications of breaches affecting 500 or more individuals in 2022, representing a 3% increase from the previous year. Additionally, there were 63,966 reports of breaches affecting fewer than 500 individuals. Unauthorized access or disclosure was the most frequently reported type of breach in these smaller incidents, affecting 257,105 individuals.
As of Friday morning, the Office for Civil Rights’ HIPAA Breach Reporting Tool website showed 739 major breaches reported in 2023, affecting more than 136 million individuals – an all-time record for the number of breaches reported in a single year.
Despite its increasing workload, the Office for Civil Rights has faced challenges in securing additional funding to support its enforcement programs. The agency has requested discretionary funding from Congress multiple times, but its annual authorized budget has remained flat at around $39 million. This lack of funding has also hindered the agency’s ability to conduct audits of covered entities and business associates to assess compliance with HIPAA rules.
In an effort to address the growing cybersecurity threats facing the healthcare sector, the Office for Civil Rights is collaborating with other HHS agencies to support the Biden administration’s healthcare sector cybersecurity strategy. The agency is also planning to issue a proposed update to the HIPAA Security Rule this spring to enhance data protection measures.
Despite the challenges posed by the increasing volume of data breaches and complaints, the Office for Civil Rights remains committed to working with Congress and the healthcare industry to improve compliance and protect against security threats.
