* The content on this web page was compiled in part from the U.S. Department of Health and Human Services Office for Civil Rights, U.S. Census and IBM’s 2022 Cost of a Data Breach Report and is provided for informational purposes only.
Healthcare records breaches don’t necessarily come just from a doctor or other healthcare provider disclosing personal health information or improperly disposing of files without shredding them.
When we looked at healthcare data breaches across the U.S. according to the sources cited above, we found the overwhelming majority of record breaches this year (2022) — nearly 80% — came from hacking incidents.
Our review of that data shows that a combined 93 million records were hacked, affecting about a quarter of the total U.S. population (as of Jan 1, 2022). But not every state is feeling the same pain. We analyzed the Department of Health and Human Services HIPAA hacking breach reports (as of December 22, 2022) alongside IBM’s 2022 “Cost of a Data Breach Report” to see which states are most at risk, from the highest number of affected residents to the highest estimated costs.
- As many as one in four people in the U.S. may have been impacted by hacked health records in the past two years.
- It’s not loss, theft, or social media snafus: Our analysis of the data shows that 79% percent of breached healthcare records year to date are attributable to hacking incidents — that’s true for the year before as well.
- In the past year, Texas was hit with an estimated $700 million in losses due to hacking-related healthcare breaches (HHS-OCR and IBM).
- In the last six years, there’s been a massive explosion of hacked health records in North Dakota, with a nearly 85,000 percent increase in affected records.
According to the sources cited above, hacked medical records in recent years have affected about a quarter of the U.S. population — over 93 million patients. A single, well-placed hack can impact thousands of patients in any state.
In 2017 and 2018, hacking made up 42% and 45% percent of reported HIPAA breaches, respectively.
As health systems get more familiar with HIPAA regulations and explore new ways to train their staff and secure their environments internally, incidents related to theft and accidental records breaches decrease. But hacking is on the rise.
This increase in data breaches comes at a high material cost to patients: one-fifth of hacked health organizations report that they suffered an increase in mortality rates after a hack.
While there have been ups and downs in the trend line, over the past few years, the number of healthcare records affected by hacking has increased by over 300%.
The cost of hacking by state
How much does a single healthcare hack cost?
Mirroring the IBM analysis period (March 2021-2022), we divided this dollar amount from IBM by the average number of individuals affected by an individual hacking breach within the same period as reported via the OCR Breach Portal and found that averages out at about $149 per record, per our analysis of the data.
$10,100,000 – IBM average cost of a healthcare breach (03/21-03/22)
67,639 – OCR reported average number of individuals affected per hacking breach (03/21-03/22)
$149 – Estimated average cost per individual affected in each healthcare hacking breach
But the cost of any single hack depends on the number of records, the cost of notifying affected individuals, and also engaging legal and help desk professionals, issuing new accounts, securing those accounts, and regaining lost goodwill.
IBM’s model helps break down the costs per individual for companies, but people whose records are hacked could also bear personal costs if their identities are stolen using hacked personal information. The individual cost of identity fraud is at its highest ever, averaging $1,551 per incident.
According to this calculation, Texas has, in recent years, experienced the highest costs from healthcare breaches.
In 2022 alone, hacking has cost the Lone Star State’s medical systems an estimated $738.6 million according to our analysis of IBM’s reporting and HHS-OCR data, up from an estimated $508.7 million the previous year.
|State||% change in estimated costs from 2018 to 2022|
In the future, as large state healthcare systems develop advanced ways of preventing cybercrime, smaller states’ that have smaller anti-cybercrime budgets may become the prime targets of hackers. For example, cybersecurity groups in Wyoming report spikes in hacking attempts as much as 100 times higher than in the past.
For now, larger states still see the highest hacking costs.
Most of the states in the top 10 for estimated hacking costs are also in the top 10 for population (California, Texas, Florida, New York, Pennsylvania, Illinois, and Michigan). (HHS-OCR; IBM; Jotform Analysis)
8 of the top 10 most populous states saw estimated costs over $200 million apiece in 2022. Meanwhile, Ohio ($42M) and North Carolina ($60M) eeked by with much smaller hits to their medical systems. (HHS-OCR; IBM; Jotform Analysis)
|State||2020 Census Population||2022 Estimated Cost of Hacking|
Did any states escape the costs of cyberattacks in 2022? Just two: Wyoming and Alaska.
And for Wyoming, it’s not the first time. Over the past 5 years, with the exception of a single incident in 2019, Wyoming has accrued zero healthcare hacking costs since (as of December 22, 2022; HHS-OCR; IBM; Jotform Analysis).
Perhaps their small number of records and lack of vulnerabilities make efforts to access their systems less profitable than in other states.
Small states, bigger impacts per capita
It might seem like small states have an advantage when it comes to protecting the patient records of residents. The limited number of patient records just isn’t as profitable for hackers. Or is it?
While size seems to correlate with the number of hacking incidents a state weathers — it doesn’t always align with how much impact a hacking incident has.
In states with small economies, health system hacks can amass huge costs compared to their state’s overall gross domestic product (GDP) each year, creating a disproportionate burden on those states.
There’s also an oversized burden on residents. In a small pool of patients, a hack can compromise a large proportion of the state’s people. In some states, they’re even the majority.
For example, West Virginia, the state with the highest proportion of its population affected by hacked healthcare records (80%), falls among the least populated states in the nation. So does North Dakota.
West Virginia has suffered the biggest increase in hacking, with a whopping +215,240% increase in related costs since 2018 (HHS-OCR; IBM; Jotform Analysis). The records of over 80% of the population were hacked in 2022, which amounts to a total of 1,442,779 records affected.
North Dakotans saw just one reported hacking breach in 2022, which amounted to a total of 510,574 affected records. 65.5% of the state’s residents saw their information compromised in 2022. Compare this to the year prior when the state was hit by 2 much smaller hacking incidents, impacting a small sum of 3446 individual records (HHS-OCR; Jotform Analysis).
|State||Count of Breaches in 2022||% of Population Affected|
Hackers seem to be testing the waters in states historically less known to be hit by healthcare data breaches, which may explain why an increasing number of states across all population sizes are being impacted by data breaches.
According to World Population Review, Colorado is 21st in overall population but 5th in healthcare hacking costs (HHS-OCR; IBM; Jotform Analysis), and 4th for the highest proportion of the population impacted by these data breaches.
By contrast, less than 1 percent of Louisiana, Nevada, Virginia, Maine, South Dakota, D.C., and Mississippi residents’ records have reported being hacked in 2022 (from Jan 1 through December 22). (HHS-OCR; 2020 U.S. Census)
Protecting both patients and pocketbooks
So what’s the lesson for healthcare consumers? Significant breaches in small ecosystems can really disrupt a state’s healthcare system and many of its residents, so residents of small states are just as likely to be impacted as residents in large states. But almost all states have seen an increase in hacking breaches.
It’s likely a side-effect of COVID-19. With so many health systems expanding their administration to include remote work, records are almost always kept in the cloud, accessible from different locations and by multiple devices. That means that IT security has gotten a lot more complicated. With multiple points of entry, it’s vital to guard them all. For example, Jotform uses encryption and dedicated servers to ensure that companies control every single person who can access sensitive data.
In fact, the cloud is a safer place for patient data than physical files or company servers. Cloud-based services come with robust monitoring, intelligent threat prediction and detection, firewalls, and other resources that onsite tools don’t have.
Tools like Jotform help protect from hacking incidents. And that’s lucky because today, almost all record breaches involve hackers.
The reality is that many patients will see their healthcare records hacked, if they haven’t already.
There’s no cure for the rapidly spreading hacking epidemic, but as healthcare organizations across the country fight off more and more attacks, they will inevitably have to find better ways to protect themselves and their patients.
All data and further explanations for our analysis can be found here: Jotform Analysis: Healthcare Hacking Breaches
- The data analyzed in this report was collected on December 22, 2022.
- For the purposes of this analysis, we include only hacking-related healthcare data breaches.
- U.S. Census population data for 2020 is used for the per capita calculations.
IBM’s 2022 “Cost of a Data Breach Report.”
- In this report, IBM’s analysts found the cost of the average healthcare data breach (to the impacted entities) to be $10.1 million.
- We analyzed the U.S. Department of Health and Human Services Office for Civil Rights breach data matching the period of analysis for the IBM report (March 2021 – March 2022) to find the average number of individuals affected per hacking breach during this period: 67,639.
- We computed an estimated cost per affected record using these findings: $10.1 million / 67,639 = $149 (estimated cost per affected record)
- Our full calculations and analysis are documented here.
Census Population Data – 2020