Reports of security breaches involving health care information have become increasingly prevalent in recent years, and such breaches seem to be continually growing in scope and magnitude. In the April 14, 2015, issue of JAMA, the Journal of the American Medical Association, three California researchers led by Dr. Vincent Liu (hereinafter Liu et al.) sought to more fully understand the scope and characteristics of recent data breaches and their impact on the health care industry. Liu et al. used data provided by the Department of Health and Human Services to look at all data breaches between 2010 and 2013 that affected the unencrypted protected health information of at least 500 individuals and were reported by entities covered under the Health Insurance Portability and Accountability Act (HIPAA). Liu et al.’s findings included the following:
- 949 total data breaches were reported between 2010 and 2013, with the annual number of breaches increasing from 214 in 2010 to 265 in 2013;
- 1 million records were affected by the 949 breaches, although certain records may have been involved in more than one breach;
- A breach was reported in every state, the District of Columbia, and Puerto Rico;
- Six breaches affected more than one million records each;
- 7% of breaches involved a portable electronic device or laptop, while 22.3% of breaches involved paper records;
- Theft (58.2%) was the leading cause of breaches, followed by unauthorized data access or disclosure (14.8%), and loss or improper disposal of data (11.1%);
- Hacking or information technology incidents were responsible for 7.1% of breaches; and
- 8% of breaches involved an external vendor.
Although Liu et al. cautioned that these findings likely underestimate the scope and characteristics of recent data breaches due to limitations in the underlying data, the findings are sufficient to provide a number of lessons for health care entities. As Liu et al. observed, the majority of data breaches were caused by criminal activity, with theft being the leading cause of data breaches. The findings also reiterate the importance of appropriate security practices by business associates, as nearly one-third of the breaches involved an external vendor.
Interestingly, 22.3% of the breaches involved paper records, and only 7.1% occurred due to hacking or an IT incident, a reminder that while hacking incidents receive significant publicity, health care entities must also be aware of security threats to non-electronic records. However, these findings likely under-represent the threat posed by hacking, as hacking can instantly expose huge amounts of data and be particularly difficult for health care entities to detect (and thus report). For example, the study did not include recent data breaches involving Community Health Systems and Anthem Health Insurance that collectively affected tens of millions of records and were allegedly the result of sophisticated hacking attacks. Regardless, Liu et al.’s findings reinforce the need for health care entities to be proactive in recognizing data security threats and implementing effective security protections.