Report Finds 50M Medical Records Were Exposed In 2021

The 2022 Breach Barometer Report from Protenus indicates that 2021 was a particularly disastrous year for data breaches in the healthcare business, with more than 50 million medical records disclosed or compromised. The data for the study was provided by The report contains incidents that have not been declared by the compromised organization, data breaches involving healthcare data at non-HIPAA-regulated entities, data breaches involving healthcare data reported to regulators, and data breaches that have been publicized in the media. 

Since 2016, Protenus has been publishing yearly Breach Barometer reports, and each year since 2017, more records have been compromised due to breaches of healthcare data. At least 50,406,838 people were reported to have been impacted by healthcare data breaches in 2021, a 24 percent increase over the previous year. The report includes 905 incidents, which is a 19 percent increase from 2020. For the sixth consecutive year, the number of hacking incidents climbed, accounting for 678 breaches, or 75 percent of all breaches for the year. The hacking incidents involve malware, ransomware, phishing, and email attacks. The report revealed that  43,782,811 records were exposed or stolen as a result of the breaches, making up 87 percent of all records that were compromised in 2021. At least 110,6656 records were compromised in 32 theft-related incidents, and at least 30,922 people’s records were exposed when 11 cases of lost or stolen devices took place. 73 incidents were unable to be categorized because there was insufficient data.

The report also revealed that Healthcare providers are still the HIPAA-covered entity type that are most severely impacted by cyberattacks, while business associate data breaches have surged to almost twice the level of 2019. 75 percent of the incidents involved hacking, twelve percent involved insider negligence, and one percent involved insider misconduct. 20.986,509 records were compromised as a result of such incidents. According to Protenus, business associate data breaches typically result in a larger number of records being compromised than other breaches.

“The need for proactive patient privacy monitoring has never been greater. The threats we’re seeing today are much more intrusive than in years past and can come from multiple sources — a random employee snooping or a sophisticated cybersecurity hacker that gains access through an employee channel,” said Nick Culbertson, CEO of Protenus. “Once a breach erodes patient trust in your organization, that’s extremely difficult to recover from.”