The 2020 Healthcare Data Breach Report: an Analysis of HHS Breach Reports from January 2020-June 2020


Reported data breaches to HHS declined in the first half of 2020 – but watch out for the next wave.

The number of healthcare breach reports is down 10.4% compared to the second half of 2019, while the number of breached records is down nearly 83%.
Get the Report

The 2020 H1 Healthcare Data Breach Report – an excerpt

Health and Human Services (HHS) data shows that the number of patient data records breached declined during the early stages of the pandemic, but are expected to surge as the ‘new normal’ creates new vulnerabilities.

Data breaches involving the protected health information (PHI) of patients declined sharply during the first half of 2020, according to a CI Security analysis of data reported to the U.S. Dept. of Health and Human Services (HHS).

The number of HHS breach reports from healthcare organizations is down 10.4% in the first half of 2020, compared to the second half of 2019, and the number of reported breached records is down nearly 83%.

While there isn’t one simple explanation for the numbers declining so precipitously in the midst of a global pandemic, a combination of factors may have come into play, including:

1. Healthcare organizations upping their cyber security programs.

2. Some healthcare organizations misunderstanding HHS exceptions issued during the pandemic, leading them to believe they had a COVID 19-related extension beyond the required 60-day window.

3. Healthcare organizations were simply being too busy to report.

4. Some healthcare organizations were hopeful that cybercrime groups who promised to “go easy” on healthcare for the duration of the pandemic, would keep their word. Unfortunately, we have seen a number of reports on phishing and other attacks from cybercrime gangs and nation-states taking advantage of over-stressed healthcare entities during the first half of the year.

5. Some healthcare organizations have been so distracted by the pandemic and associated emergency operations that they have been breached, but don’t know it yet. This is the most ominous explanation but seems very plausible given the average time it takes for healthcare organizations to spot a breach is 329 days, according to IBM’s 2020 “Cost of a Breach” report.

We anticipate that cyber attacks will surge over the next six months for two reasons…