Following the HITECH Act, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued regulations requiring covered entities to provide certain notifications for breaches of unsecured protected health information.  OCR provides data on its website for breaches affecting 500 or more individuals.

To better understand trends for these large breaches, we have compiled the following charts.  The first set looks at all breaches reported to OCR, by the cause of breach and the type of media involved.  We have provided charts by number of breach incidents reported as well as by number of individuals affected, as this may help understand causes or types of media that affect a disproportionate number of individuals.  To better analyze breaches happening at the business associate level, we have provided the same charts, based on the OCR data, where OCR indicates a business associate was involved.  Finally, we have provided charts illustrating the number of breaches, and number of individuals affected, reported to OCR indicating a business associates was involved versus breaches indicating no business associate was involved (covered entity breaches).

Charts of all breaches reported to OCR:

Charts of breaches involving business associates:

Charts of breaches by business associates or covered entity: