What is a Data Breach?

The definition is generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information.
An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

In other words, you must PROVE that a breach did NOT occur. You are essentially guilty until you prove your innocence.


Credit card information is selling for approximately $1-$3 per account on the black market, whereas a healthcare record goes for $50-$150. Medical practices and their business associates need to be vigilant in keeping their data secure.

Although theft is still a major contributor of data breaches, activity from hackers are on the rise. According to the Ponemon Institute, over the past year, the cost of data breaches due to malicious or criminal attacks was an average of $145 per record worldwide with average being about $201 for the US with Healthcare data breaches costing on average $359 per record.
42% of the breaches were due to malicious or criminal acts, 30% human error, and 29% was attributed to system glitches.

  • 90 percent of healthcare organizations have reported a data breach in the past two years.
  • Attacks on healthcare systems have increased 100 percent since the first study in 2010.
  • The annual cost of healthcare data breaches has been estimated as high as $5.6 billion.

For more information on the Ponemon Institute studies, visit their website:

With the increasing cost and volume of data breaches, IT security is quickly moving from being considered as a technology issue to a larger business risk. This shift has increased interest in cyber insurance. We recommend that all organizations that come in contact Protected Health Information whether paper or electronic, invest in Cyber/breach insurance. It is just as important as your general liability, med-mal, and even car insurance!

For information on OCR data breaches over 500 patient records, click below:

For information on all data breaches large and small, click here:

Aris takes the fear out of HIPAA through Partnership,
Education, and Support.