Academic medical centers most at risk for data breaches; Montefiore, Advocate top lists

Nearly 1,800 data breaches were reported between Oct. 21, 2009, and Dec. 31, 2016, mainly at large teaching hospitals.

As if running a large academic medical center (AMC) wasn’t complicated enough, now AMC leaders have one more thing to worry about—their organizations are more susceptible to large data breaches than other providers.

Ge Bai, Ph.D.

So say researchers who crunched the Department of Health and Human Services' numbers. Led by Ge Bai, Ph.D., an assistant professor at the Johns Hopkins Carey Business School in the District of Columbia, they offered a rundown in a letter published in JAMA.

RELATED: FBI warns of cybercriminals targeting healthcare servers

Between Oct. 21, 2009, and Dec. 31, 2016, 1,798 data breaches were reported. Of the 33 hospitals that were breached at least twice, many are large teaching hospitals. 

“Hospital size and major teaching status were positively associated with the risk of data breaches,” the authors concluded.

The authors noted there’s a “fundamental trade-off” between data security and data access.

“Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes “zero breach” an extremely challenging objective,” they wrote. “The evolving landscape of breach activity, detection, management and response requires hospitals to continuously evaluate their risks and apply best data security practices.”

RELATED: Eric Topol: Deaggregate data to liberate and protect it

Hospitals and health systems that suffered more than one breach between Oct. 21, 2009, and Dec. 25, 2016, included:

  • Montefiore Medical Center in New York (4)
  • New York’s University of Rochester Medical Center & Affiliates (4)
  • Boston’s Brigham and Women's Hospital (3)
  • Cook County (Illinois) Health & Hospitals System (3)
  • Florida’s Mount Sinai Medical Center in Florida (3)
  • St. Vincent Hospital and Healthcare in Indiana (3)

Organizations that had breaches affecting more than 20,000 individuals included:

  • Advocate Health and Hospitals Corporation in Illinois (4,031,767)
  • California’s AHMC Healthcare Inc and affiliated Hospitals (729,000)
  • New York’s Jacobi Medical Center (90,0600
  • Providence Hospital in Michigan (83,945)
  • St. Vincent Hospital and Healthcare in Indiana (65,666)