wordpress blog stats
Connect with us

Hi, what are you looking for?

20 Million US Health Records Breached, Mostly Due to Hacking: Why India should worry about it

With large-scale health digitization projects like Ayushman Bharat Digital Mission (ABDM) underway, this breach of health records should be noted in India

20.2 million health records were breached in the first half of 2022 in the US, an analysis by HIPAA Journal reveals. The number of breaches has reduced from 27.6 million in H1-2021, and 22.2 million in H2-2021. Despite this reduction, the number of breaches continues to remain very high. A simple calculation would reveal that over 70 million health records have been breached in the last 18 months.


More about HIPAA journal: HIPAA Journal is a website covering issues related to HIPAA compliance. HIPAA or Health Insurance Portability and Accountability Act of 1996 is a federal US law which aims to protect “sensitive patient health information from being disclosed without patients’ consent”, among other things.

FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.

Why it matters: Initiatives like Ayushman Bharat Digital Mission (ABDM), which aims to digitise health records, also puts the data of Indians at risk of being hacked or leaked, especially in the absence of a strong data protection law. Hospitals and medical websites face a similar risk since they collect and store a lot of health data about patients. This analysis indicates the risks that come digitisation of health records.

Major points to note from HIPAA Journal’s analysis of healthcare data breaches in H1, 2022:

Advertisement. Scroll to continue reading.
  1. 6% decline in the number of healthcare data breaches with 500 or more records in the past 18 months: The number stood at 347 in H1-2022, it was the same in H2-2021; in H12021, the number was 368.
  2. Four data breaches in H1-2022 had 1 million+ records: The biggest data breach affects 2 million individuals, while the second biggest data breach affects 1.3 million individuals. Moreover, 37 data breaches had more than 100,000 healthcare records. The most popular range for healthcare data breaches was 10k to 100k records.
  3. Hacking/IT incidents accounted for about 80% of the health data breach incidents in H1-2022: Moreover, out of the 20.2 million people affected by data breaches, 19.6 million were affected by hacking incidents. “The average hacking/IT incident breach size was 70,954 records in 1H, 2022 and the median breach size was 10,324 records” the HIPAA Journal website states.
  4. Most of the breached Protected Health Information was stored in Network servers: This is “unsurprising given the high number of hacking incidents and ransomware attacks”, the website states. Moreover, a lot of health data is compromised through emails because of “phishing attacks and brute force attacks to guess weak passwords. HIPAA-regulated entities can reduce the risk of email data breaches by implementing multifactor authentication and having robust password policies and enforcing those policies,” according to HIPAA Journal. The chart below shows the location where healthcare data was stored in H1-2022.

    The chart below shows the location where healthcare data was stored in H1-2022. 
  5. Rising breaches at Business Associate level: Although most of the breaches in H1-2022 occurred at the Healthcare Provider (includes  hospitals, clinics, nursing homes etc) level, the number of breaches at Business Associate (includes software providers, cloud service platforms, billing companies) level have increased significantly. 183 breaches through Healthcare Providers occurred in H1-2022, down from 213 in H2-2021. At the Business Associate level, the number of breaches increased by 31%, from 97 to 128, during the same period.
  6. U.S. states with the highest populations tend to be the worst affected by data breaches”, HIPAA Journal website says: The highest number of breaches occurred in New York (29), followed by California (23), New Jersey and Texas (18), Florida and Ohio (17) and Michigan & Pennsylvania (15).
  7. Penalties: The Office for Civil Rights (OCR) “started taking a harder line on HIPAA-regulated entities that were discovered to have violated the HIPAA Rules and increased the number of financial penalties imposed”, the website states. However, it adds that “2022 has started slowly in terms of HIPAA enforcement actions, with just 4 financial penalties imposed by OCR in 1H, 2022”. 

Why India should be worried:

  1. Cyberthreats have no boundaries: Almost 80% of the data breached was through hacking/IT incidents. Hackers know no boundaries and if they can extract data from a system in the US, then what’s stopping them from attacking with ransomware in India?
  2. Lack of a strong data protection law: The Central government withdrew the Data Protection Bill on August 3, 2022. A relevant bill is expected to be tabled in the monsoon session this year but as of now, without any concrete law protecting the privacy of individuals, there’s a lot of scope for misuse of health data.
  3. Lack of awareness: It’s hard to imagine people in India being aware of the privacy policy of a company or how their health data will be used once shared with a hospital or a medical websites. Moreover, most organisations write their privacy policy in English, which is not the preferred language for most Indians.

In August 2019, healthcare records of 6.8 million individuals were hacked in India. A Surfshark report states that India was the country with the third highest data breaches in the world in 2021, after the US and Iran. 86 million data breaches occurred in India whereas the number was 212 million in the US. Policymakers can take a cue from the US’s system of making the information about healthcare data breaches publicly available to put accountability on stakeholders. Moreover, India should only proceed towards its digitisation plan with caution and a plan for strong cyber-security.

Limitations to the analysis: The HIPAA Journal website mentions that the total number of breaches reported may change throughout the process of analysing how the data was compromised. They also state that “many HIPAA-regulated entities report data breaches using a placeholder of 500 records, and then submit an amendment, so the final totals may not be reflected in this report.

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also read: 

Written By

I cover privacy, surveillance and tech policy. In my reporting, I try my best to present the most relevant facts, and sometimes add in a pinch of my thoughts.

Free Reads


Paytm has started distancing itself from PPBL in light of the current negative spotlight on PPBL.


The move can be seen as an attempt by Paytm to distance itself from the troubled Paytm Payments Bank, which has been significantly restricted...


"Without Google’s abuse of its dominant position, the media companies would have received significantly higher revenues from advertising and paid lower fees for ad...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ