There has been a 70% rise in healthcare data breaches from 2010-17, according to a study completed by two physicians at the Massachusetts General Hospital Center for Quantitative Health.
The study, included in the Journal of the American Medical Association on September 25, incorporated a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.
Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study stated: “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure.”
Annually, with the exception of 2015, the number of healthcare data breaches has increased, going up from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have lead to the loss, theft, exposure, or impermissible disclosure of 176.4 million healthcare records. 75% of those records were exposed or stolen due to the hacking or IT incidents.
While the number of hacking and IT incidents goes on rising each year, the number of theft incidents has declined by 66% since 2010 when it was the leading cause of healthcare data breaches. This is due to healthcare groups transitioning to electronic health records and encrypting health data stored on portable electronic devices.
In 2010, the most common place this occurred was in laptop computers followed by paper records and films. In 2017, the most common locations of breached health data were network servers and email, both of which are attacked by hackers.
The study included healthcare providers, health plans and business associates of HIPAA covered groups. Healthcare providers suffered the most breaches (70%) over the period of study, which stands to reason given that there are many more healthcare suppliers than health plans in the United States. However, while there were fewer health plan data breaches – 13% of the total – they lead to the exposure of more records – 63% of all breached records between 2010 and 2017.
McCoy said: “More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies.”
The high amount of records exposed by health plan data breaches is mainly due to three health plan data breaches which resulted in the theft of 99.8 million records: The 78.8 million record breach at Anthem Inc., the 11 million record breach at Premera Blue Cross, and the 10 million record breach at Excellus Blue Cross Blue Shield. Those three breaches made up over half of all exposed health records between 2010 and 2017.
The most serious healthcare data breaches include records stored on network servers. There were 410 data breaches on network servers over the period of study and they affected almost 140 million patients, compared to 510 breaches involving paper/films which impacted 3.4 million patients.
Roy Perlis, MD, MSc, director of the Center for Quantitative Health, and co-author of the study said: “For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly.”