Practice Economics

Health data breaches compromised 29 million patient records in 2010-2013

View on the News

Hacking, hygiene, and HIPAA are the culprits

Dr. Liu and his colleagues’ research makes clear that the personal health information of patients in the United States is not safe, and it needs to be. Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States. The question is what to do.

Part of the responsibility lies with the private custodians of health data, mostly clinicians, health care organizations, and insurers. Although malicious hacking gets the most media attention, the majority of data breaches result from a much more mundane and correctable problem: the failure of covered entities to observe what might be called good data hygiene.

But part of the responsibility also lies with policy makers. Health care organizations and practitioners bemoan HIPAA’s requirements, but in fact the law is antiquated and inadequate to protect patients’ health care privacy and security. The fact that HIPAA regulates only certain entities that hold health data, rather than regulating health data wherever those data reside, seems illogical in today’s digital world.

Dr. David Blumenthal is president of the Commonwealth Fund in New York; Deven McGraw is a health care attorney in Washington. Their comments were made in an editorial accompanying the study (JAMA 2015 [doi:10.1001/jama.2015.2746]). They reported no conflicts of interest related to their comments.


 

FROM JAMA

References

Some 29 million private patient health records were compromised between 2010 and the end of 2013 – mostly as a result of criminal activity, say researchers, who described their findings as a likely underestimate of the magnitude of the problem.

In a research letter published April 14 in JAMA (doi:10.1001/jama.2015.2252), Dr. Vincent Liu of Kaiser Permanente in Oakland, Calif., and his colleagues at Stanford (Calif.) University, evaluated U.S. Department of Health & Human Services reports of data breaches involving 500 or more patient records covered under the Health Insurance Portability and Accountability Act (HIPAA). Of the 949 reported breach events during the 4-year study period, 67% involved electronic media while about 20% were attributed to paper records. Laptop or portable device theft accounted for 33% of all breaches reported.

©Sebastian Duda/Thinkstock

Importantly, the frequency of breaches from hacking and unauthorized access increased significantly during the study period (from 12% in 2010 to 27% in 2013), and breaches involving external vendors represented 29% of all incidents.

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services provided by vendors supporting predictive analytics, personal health records, health-related sensors, and gene-sequencing technology, the frequency and scope of electronic health care data breaches are likely to increase,” Dr. Liu and colleagues wrote.

“Our study was limited to breaches that were already recognized, reported, and affecting at least 500 individuals [as required by the HITECH Act of 2009],” Dr. Liu and colleagues wrote. “Therefore, our study likely underestimated the true number of health care data breaches occurring each year.” The study was funded by Permanente Medical Group and the National Institutes of Health. None of its authors reported any relevant conflicts of interest.

Next Article:

Health IT Roadmap draws comments