Data on Health Data Breaches Published

April 14, 2015

Between 2010 and 2013, data breaches of protected health information reported by HIPAA-covered entities increased and involved approximately 29 million records, with most data breaches resulting from overt criminal activity, according to a study in the April 14 issue of JAMA (Journal of the American Medical Association).

Reports of data breaches have increased during the past decade. Compared with other industries, these breaches are estimated to be the most costly in health care; however, few studies have detailed their characteristics and scope. Vincent Liu, M.D., M.S., of the Kaiser Permanente Division of Research, Oakland, Calif., and colleagues evaluated an online database maintained by the U.S. Department of Health and Human Services describing data breaches of unencrypted protected health information (i.e., individually identifiable information) reported by entities (health plans and clinicians) covered under the Health Insurance Portability and Accountability Act (HIPAA). The researchers included breaches affecting 500 individuals or more reported as occurring from 2010 through 2013, accounting for 82 percent of all reports.

The authors identified 949 breaches affecting 29.1 million records. Six breaches involved more than 1 million records each and the number of reported breaches increased over time (from 214 in 2010 to 265 in 2013).

Breaches were reported in every state, the District of Columbia, and Puerto Rico. Five states (California, Texas, Florida, New York, and Illinois) accounted for 34 percent of all breaches. However, when adjusted by population estimates, the states with the highest adjusted number of breaches and affected records varied.

Most breaches occurred via electronic media (67 percent), frequently involving laptop computers or portable electronic devices (33 percent). Most breaches also occurred via theft (58 percent).

The combined frequency of breaches resulting from hacking and unauthorized access or disclosure increased during the study period (12 percent in 2010 to 27 percent in 2013). Breaches involved external vendors in 29 percent of reports.

The authors note that the study was limited to breaches that were already recognized, reported, and affecting at least 500 individuals. “Therefore, our study likely underestimated the true number of health care data breaches occurring each year.”

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-­based services provided by vendors supporting predictive analytics, personal health records, health-related sensors, and gene sequencing technology, the frequency and scope of electronic health care data breaches are likely to increase. Strategies to mitigate the risk and effect of these data breaches will be essential to ensure the well-being of patients, clinicians, and health care systems.”
Source: JAMA—Journal of the American Medical Association

Editor’s Note: Dr. Liu was supported by the Permanente Medical Group and a grant from the National Institutes of Health. The authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest and none were reported.