Healthcare Providers Are Common Source of Data Breaches

Tinker Ready

September 28, 2018

More than 176 million confidential health records were breached between 2010 and 2017, including 37.1 million records controlled by healthcare providers, according to a study published online in JAMA this week.

Researchers found that whereas healthcare providers were most likely to experience data breaches, breaches at insurers led to the disclosure of far more records. In addition, the number of breaches of records controlled by providers rose steeply during the study period, but increased more slowly for health plans and declined for business associates.

The 1999 Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Health Information Technology for Economic and Clinical Health Act established privacy rules for healthcare data and mandate reporting of healthcare data breaches.

Although large breaches are widely reported in the media, few data are available regarding smaller breaches or the type of organization affected by breaches.

For the current study, Thomas H. McCoy Jr, MD, and Roy H. Perlis, MD, both of the Psychiatry Center for Quantitative Health at Massachusetts General Hospital in Boston, separated breaches of data confidentiality into three categories on the basis of type of organization handling the records: healthcare providers, health plans, and "business associates." Business associates include claims processors and others who do not provide or pay for care but have access to HIPPA-protected health records.

Healthcare providers accounted for 70% (1503 incidents) of the incidents. But the number of patient records held by providers made up a smaller percentage of the overall number that were compromised, at a cumulative total of 37.1 million (21%) between 2010 and 2017.

In contrast, health plans suffered a smaller number of breaches (278; 13%), but more records were compromised (110.4 million; 63%).

McCoy, director of research at the center, told Medscape Medical News he started looking at data breaches to assess the risk posed to his patients and clinical trial subjects. He used mandated reports of breaches collected by the Department of Health and Human Services, which are publicly available data.

"Large healthcare data sets present an important means of potentially translational discovery," he said. "They also come with a risk of large-scale disclosure. That trade-off between risk and part and parcel of the practice of medicine."

He said the database allowed him to understand the parameters and scope of unauthorized disclosure of patient records. However, he said that it is not possible to know how many confidential patient records are produced in a single year, which makes it difficult to gauge what percentage of all records have been compromised. He also noted that each cited disclosure may not represent an individual patient, as some patients may have had multiple records compromised.

However, if one looks at the number of records compromised, 176 million during the study period, in light of a US population of roughly 300,000, "bottom line, it's a big number," he said.

The authors analyzed 2149 instances of unauthorized release of patient records. The number of records in each incident ranged from 500 to 78.8 million records. (In 2015, health insurer Anthem reported the breach of 78.8 billion records.)

With the exception of 2015, the number of breach reports increased each year, from 199 in 2010 to 344 in 2017.

The most common source of breached records shifted from laptop and paper or film records in 2010 to network server and email in 2017.

Whereas paper or film records were the most common data breached overall during the study period, accounting for 510 breaches (24%), they accounted for only 2% of all records breached.

In 2015, the cumulative number of records breached via network servers rose from 12.3 million to 123.7 and continued to rise. That figure reached 139.9 million (79%) in 2017, representing the largest share of breached records.

"These shifts were paralleled by increases in hacking or information technology (IT) incidents and unauthorized access, which both surpassed theft by 2016," the authors write.

David Blumenthal, MD, helped oversee the implementation of electronic medical records as the national coordinator for Health Information Technology from 2009 to 2011. In a 2015 JAMA editorial, he wrote, "The personal health information of patients in the United States is not safe, and it needs to be.... Threats to the safety of healthcare data need much more focused attention than they have received in the past from both public and private stakeholders."

McCoy said that his research does not speak to particular solutions to the problem.

"It speaks to the aspects of the system that are most often breached," he said.

He said it is not possible to know whether patient records will become more secure as payers and providers gain more experience in working with electronic health records.

"It's — try hard, cross your fingers, and wait and see," McCoy said.

JAMA. 2018;320:1282-1284. Abstract


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.