Study Reveals Extent, Nature of Health Data Breaches

Between 2010 and 2013, there were more than 900 data breaches of protected health information affecting at least 500 individuals, with most of them resulting from overt criminal activity, according to a study in the April 14 issue of the Journal of the American Medical Association (JAMA).

Six of the breaches involved more than 1 million records each and the number of reported breaches increased over time (from 214 in 2010 to 265 in 2013). More than 29 million records were affected by the breaches included in the study.

Vincent Liu, M.D., M.S., of the Kaiser Permanente Division of Research, Oakland, Calif., and colleagues evaluated an online database maintained by the U.S. Department of Health and Human Services. The HHS database described data breaches of unencrypted protected health information reported by health plans and clinicians covered under the Health Insurance Portability and Accountability Act (HIPAA).

The researchers included breaches affecting 500 individuals or more reported as occurring from 2010 through 2013, which they said accounted for 82 percent of all reports.

Compared with those of other industries, health industry breaches are estimated to be the most costly in health care; however, few studies before this one have detailed their characteristics and scope, the authors said.

Breaches were reported in every state, the District of Columbia, and Puerto Rico. Five states (California, Texas, Florida, New York, and Illinois) accounted for 34 percent of all breaches. However, when adjusted by population estimates, the states with the highest adjusted number of breaches and affected records varied.

Most breaches occurred via electronic media (67 percent), frequently involving laptop computers or portable electronic devices (33 percent). Most breaches also occurred via theft (58 percent).

The combined frequency of breaches resulting from hacking and unauthorized access or disclosure increased during the study period (12 percent in 2010 to 27 percent in 2013).

Breaches involved external vendors in 29 percent of reports.

The authors note that since their study was limited to breaches that were already recognized, reported and affecting at least 500 individuals, their study “likely underestimated the true number of health care data breaches” occurring each year.

The authors say that the frequency and scope of electronic health care data breaches are likely to increase given the expansion in electronic health record deployment since 2012, as well as the increase in cloud­-based services.

“Strategies to mitigate the risk and effect of these data breaches will be essential to ensure the well-being of patients, clinicians and health care systems,” according to the researchers.

David Blumenthal, M.D., of The Commonwealth Fund, New York, and Deven McGraw, J.D., of Manatt Phelps & Phillips LLP, Washington, D.C., warned in an accompanying editorial in JAMA that the stakes associated with the threats to security of personal health information are “huge” and that public and private interests need to pay more attention to preventing them.

“[I]f patients have concerns that their digitized personal health information will be compromised, they will resist sharing it via electronic means, thus reducing its value in their own care and its availability for research and performance measurement,” they wrote.

“Concerned patients may also withhold sensitive information about issues such as mental health, substance abuse, human immunodeficiency virus status, and genetic predispositions. Surveys suggest this may already be happening to some degree. Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States.”

Source: Journal of the American Medical Association