88
amendments.
301
Additionally, as the number of breaches per year has grown significantly in the
recent years,
302
and FTC staff expects this trend to continue, FTC staff relied on the average
number of breaches from 2021 through 2023 to estimate the annual breach incidence rate for
HIPAA-covered entities.
Specifically, HHS’ OCR reported 715 breaches in 2021, 719 breaches in 2022, and 733
breaches in 2023,
303
which results in an average of 722 breaches between 2021 and 2023. Based
on the 1.7 million entities that are covered by the HIPAA Breach Notification Rule
304
and the
average number of breaches for 2021-2023, FTC staff determined an annual breach incidence
rate of 0.000425 (722 / 1.7 million). Accordingly, multiplying the breach incidence rate
(0.000425) by the estimated number of entities covered by the amendments (193,000) results in
an estimated 82 breaches per year.
305
301
FTC staff used information publicly available from HHS on HIPAA related breaches because the HIPAA Breach
Notification Rule is similarly constructed. However, while there are similarities between HIPAA-covered entities
and HBNR-covered entities, it is not necessarily the case that rates of breaches would follow the same pattern. For
instance, HIPAA-covered entities are generally subject to stronger data security requirements under HIPAA, but
also may be more likely targets for security incidents (e.g., ransomware attacks on hospitals and other medical
treatment centers covered by HIPAA have increased dramatically in recent years); thus, this number could be an
under- or overestimate of the number of potential breaches per year.
302
According to HHS’ Office for Civil Rights (“OCR”), the number of breaches per year grew from 276 in 2013 to
739 breaches in 2023. See Breach Portal, U.S. Dep’t of Health & Human Servs., Office for Civil Rights,
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited March 1, 2024). The data was downloaded on
March 1, 2024, resulting in limited data for 2024. Thus, breaches from 2024 were excluded from the calculations.
However, breach investigations that remain open (under investigation) from years prior to 2024 are included in the
count of yearly breaches.
303
See Breach Portal, U.S. Dep’t of Health & Human Servs., Office for Civil Rights,
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (last visited March 1, 2024).
304
In a Federal Register Notice (“FRN”) on Proposed Modifications to the HIPAA Privacy Rule to Support, and
Remove Barriers to, Coordinated Care and Individual Engagement, OCR proposes increasing the number of covered
entities from 700,000 to 774,331. 86 FR 6446, 6497 (Jan. 21, 2021). For purposes of calculating the annual breach
incidence rate, FTC staff utilized 700,000 covered entities because the proposed estimate of 774,331 covered entities
represents a projected increase that has not been finalized by OCR. The FRN also lists the number of covered
Business Associates as 1,000,000. 86 FR 6528. FTC staff arrived at 1.7 million entities subject to the HIPAA
Breach Notification Rule by adding 700,000 covered entities and 1,000,000 Business Associates.
305
One commenter argued that basing the NPRM’s projection of the annual number of breaches on the breach
incidence rate for HIPAA-covered entities is problematic because the NPRM’s proposed definition of a breach of
security “goes far and beyond” the HIPAA definition of a breach. CCIA at 8-9. To the extent the commenter is
referring to the fact that the Rule’s definition of breach of security covers unauthorized disclosures, the Commission
notes that the HIPAA Breach Notification Rule similarly covers unauthorized disclosures. See Breach Notification