OCR’s 'wall of shame' just cracked 2,000 data breaches. Here’s how reporting has changed since 2009

Security Breach
Data breach reports to HHS have increased significantly over the last three years.

More than 2,000 data breaches have been reported the Department of Health and Human Services since 2009, when the HITECH Act began requiring the agency to post breaches on a public web portal.

But a lot has changed since the agency posted that first breach, according to Healthcare Info Security, which analyzed all 2,018 breaches.

For one, reporting has ramped up considerably. It took almost five years for the so-called “wall of shame” to reach 1,000 breaches, compared to just three years to get that second half. In recent years, the HHS Office for Civil Rights has made an effort to hold healthcare organizations accountable for reporting breaches within 60 days.

RELATED: Health IT company pays $130K to resolve delayed data breach notification

While poor encryption practices made up the majority of breach reports early on, hacking makes up more than 40% of breaches currently under investigation over the last two years. Hacking has also implicated far more patient records, accounting for 75% of compromised records.

"The big takeaway here is that phishing is a successful way to get inside healthcare facilities,” Susan Lucci, chief privacy officer and senior consultant at the security consultancy firm, Just Associates, told Healthcare Info Security.

RELATED: Healthcare data breaches haven’t slowed down in 2017, and insiders are mostly to blame

HHS recently updated the data breach portal, separating data breaches that have occurred over the last two years that are still under investigation and those that are older than two years or have been resolved.

Data breaches reported so far this year are on pace to surpass last year’s total, which was seen as a banner year for healthcare breaches. More than 230 breaches were reported so far this year, accounting for more than 3.1 million patient records.