Number of Large-Scale Health Data Breaches Increasing, Study Finds
The number of large-scale health data breaches reported by physicians and health insurers has been steadily increasing, according a study by Kaiser Permanente published Wednesday in the Journal of the American Medical Association, Reuters reports.
Researchers reviewed an HHS database of breaches of unencrypted health data. The breaches, reported by entities subject to HIPAA, include those affecting at least 500 people in which the data could be linked back to individual patients.
According to the study, there were nearly 1,000 large data breaches reported between 2010 and 2013 that affected more than 29 million individual health records. Of those breaches, more than one-third occurred in five states:
- New York; and
- Texas (Brown, "Science Now," Los Angeles Times, 4/14).
Researchers noted that more than 50% of the breaches resulted from loss or theft of:
- Paper records; and
- Thumb drives.
Most of the breaches involved individuals' electronic health records.
Overall, the annual number of large breaches increased from 214 in 2010 to 236 in 2011, 234 in 2012 and 265 in 2013.
Increase in Breaches Resulting From Hacking
The percentage of breaches attributed to hacking more than doubled during the three-year period, accounting for about 12% of incidents in 2010 and 27% in 2013. However, such incidents represent fewer than one-third of all large-scale reported breaches (Doyle, Reuters, 4/14).
Study lead author Vincent Liu of Kaiser Permanente's Division of Research said, "While hacking has garnered a lot of recent attention, a more common reason for breaches is simple theft of unsecured paper or electronic records." Still, he noted that the potential of hackers to access "a large number of compromised records tends to be higher than for other sources of data breaches" (Thompson, HealthDay/Philadelphia Inquirer, 4/14).
Further, the study noted that the number of electronic data breaches likely will continue to increase as the use of EHRs rapidly expands, along with increased adoption of:
- Cloud-based analytics services;
- Gene sequencing;
- Personal health records; and
- Other health-related technology (Colliver, San Francisco Chronicle, 4/14).
Liu said, "While electronic data security and privacy is not a problem that is unique to health care, individually identifiable health data cannot be easily reset or changed once it has been compromised." He added, "[W]e must ensure that our patients' data remains secure" (Reuters, 4/14).
In order to increase data security, the researchers recommended that health care organizations and lawmakers take action to increase staff training and bolster security measures (San Francisco Chronicle, 4/14).
Meanwhile, the Commonwealth Fund's David Blumenthal wrote in an editorial accompanying the study that health care organizations must change their "behavior" to correct inadequate security practices, such as failing to encrypt data and staff carrying unprotected devices outside of health care facilities. In addition, he noted that patients should inquire about the facilities' security practices (Reuters, 4/14).This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.