Data breaches occur as often as actual theft

If you suffer a security breach in your EHR this year, it's a 50/50 shot on whether it was accidental or intentional. At least, that's one of the lessons you should take from a list of 10 hospitals and health systems that had significant data breaches over the last year, reported in Becker's Hospital Review.

Analyzing the breaches together revealed five were unintentional, and five clearly purposeful were. For CIOs, the lessons are these: 

1. Accidents happen? The most common reason for data loss (three of the 10 incidents) were bonehead mistakes. Mountain Vista Medical Center, Mesa, Ariz., lost memory data cards with patient information, University of Tennessee Medical Center in Knoxville mistakenly put 8,000 patients' records in the trash, rather than the shredder, and New York-Presbyterian Hospital in came under fire when an employee inadvertently placed pieces of personal health information on an unsecured server.

2. Transport is risky. Two of the breaches happened while data was in transit. At Danville, Pa.-based Geisinger Health System, a physician emailed personal health information to his home computer so he could complete analysis on some data. He used an unencrypted email, however, potentially disclosing personal health information for more than 3,000 patients. In another example, South Shore Hospital, Weymouth, Mass., lost back-up computer files for about 800,000 patients as it was transferring the data to a data management company.

3. Data thieves aren't all hackers. At Griffin Hospital in Derby, Conn., the culprit in the theft of nearly 1,000 patients' files was a radiologist who, after he no longer worked for the hospital, accessed patient contact and financial information, and attempted to lure some of those patients over to his practice, Becker's reports. In another instance, at Dean and St. Mary's Hospital in Madison, Wis., burglars stole a laptop during a home invasion. The laptop included the personal health information for nearly 3,300 patients.

Interestingly, it was one of only two reported incidents involving hackers that ultimately harmed patients. A hospital employee at Johns Hopkins Hospital in Baltimore stole patient's social security numbers and other information to obtain credit and buy more than $600,000 in merchandise, Becker's reports.

To learn more:
- read this Becker's Hospital Review piece