Issue: May 2015
April 14, 2015
2 min read
Save

Rise in health data breaches driven by criminal activity

Issue: May 2015
You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

We were unable to process your request. Please try again later. If you continue to have this issue please contact customerservice@slackinc.com.

Researchers reported an increase in health care data breaches reported by HIPAA-covered entities between 2010 and 2013, involving slightly more than 29 million medical records.

Most of the breaches of protected patient health information resulted from criminal activity, they found.

Vincent Liu, MD, MS, of Kaiser Permanente’s Division of Research in Oakland, California, and colleagues evaluated an online database maintained by the Department of Health and Human Services to document breaches of unencrypted, protected patient health information reported by health plans and clinicians covered under HIPAA. The researchers examined breaches involving 500 patients or more during a 3-year period, representing 82.1% of all reports during that time.

Vincent Liu

Vincent Liu

Liu and colleagues identified 949 data breaches involving 29.1 million records from 2010 to 2013. Six of these breaches each involved more than 1 million records, they said, and the number of reported data breaches increased over time (P < .001). Although breaches were reported in every state, 34.1% occurred in California, Florida, Illinois, New York and Texas.

According to the researchers, most breaches were facilitated by the use of electronic media (67%), including laptops or portable electronic devices (32.7%). A majority of breaches resulted from theft (58.2%). Additionally, the frequency of hacking and unauthorized access or disclosure increased from 12.1% in 2010 to 27.2% in 2013 (P < .001), a finding that raises “serious security concerns,” they wrote. External vendors were involved in 28.8% of reported data breaches.

The researchers said the study was limited to breaches that already were reported, and the actual number of health care data breaches taking place annually could be higher.

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services provided by vendors supporting predictive analytics, personal health records, health-related sensors, and gene sequencing technology, the frequency and scope of electronic health care data breaches are likely to increase. Strategies to mitigate the risk and effect of these breaches will be essential to ensure the well-being of patients, clinicians, and health care systems,” Liu and colleagues wrote.

In a related editorial, David Blumenthal, MD, MPP, of the Commonwealth Fund in New York, and Deven McGraw, JD, LLM, MPH, of Manatt, Phelps & Phillips, in Washington, D.C., wrote that if patients believe their health information is unprotected, they will refuse to share it electronically, “thus reducing its value in their own care and its availability for research and performance measurement.”

Blumenthal and McGraw recommended “good data hygiene,” requiring “basic precautions such as encrypting health data, prohibiting the storage of personal information on employees’ personal electronic devices (which are vulnerable to loss and theft), and using sound practices for authenticating authorized users.”

They also recommended an overhaul of HIPAA, which had been enacted before the existence of the Internet and other means of recording and transmitting sensitive information electronically.

“The stakes associated with the privacy and security of personal health information are huge,” they wrote. “Threats to the safety of health care data need much more focused attention than they have received in the past from both public and private stakeholders.” – by John Schoen

Disclosure: The researchers report no relevant financial disclosures.