Theft and disclosures account for most healthcare data breaches. But hackers took 3 times as many records

Cybersecurity
Hackers took nearly 139 million patient records between 2009 and 2017. (Getty/cifotart)

Over the last decade, healthcare organizations have been far more likely to report a data breach due to theft or an unauthorized disclosure.

Hacking, meanwhile, is much less common. But attackers make off with far more patient records.

In a new study published in JAMA Internal Medicine on Monday, researchers analyzed 1,138 healthcare breaches reported to the Department of Health and Human Services between 2009 and 2017. Two-thirds of those incidents were the result of theft—typically by an outsider or unknown party—or unauthorized disclosure, such as mailing mistakes that inadvertently disclosed sensitive information.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

Hacking was far less common, accounting for just 20% of reported incidents. But hackers took 133.8 million patient records, more than half of the total patient records impacted during the nine-year span. Theft and unauthorized disclosures accounted for 42.5 million records combined.

RELATED: JAMA study examines variation in type, extent of health data breaches over time

“Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” the researchers from Michigan State University and Johns Hopkins Carey Business School wrote.

RELATED: Anthem pays record $16M settlement to HHS for 2015 data breach

The researchers used detailed breach descriptions published by HHS in March to confirm categorizations reported by each company and differentiate cases that involved paper or electronic records. Just over half were attributable to the organization’s own mistakes or neglect, and most breaches were located on mobile devices.

“Common corrective actions included encrypting and restricting the use of mobile devices when the breached PHI had been stored in those devices; digitizing PHI and enhancing the safety of the storage facility in which paper records were stored; and monitoring or auditing access to and strengthening firewalls for network servers or the cloud,” the researchers wrote.

Suggested Articles

In its first-ever report on patient safety in ambulatory surgical centers and hospital outpatient departments, the Leapfrog Group found gaps.

An ACA public option could lead to lower premiums for commercial plans by sparking more competition, an analysis found.

Centene Corporation posted $95 million in profit for the third quarter of 2019, which skyrocketed from $19 million in the third quarter of 2018.