Theft and disclosures account for most healthcare data breaches. But hackers took 3 times as many records

Hackers took nearly 139 million patient records between 2009 and 2017. (Getty/cifotart)

Over the last decade, healthcare organizations have been far more likely to report a data breach due to theft or an unauthorized disclosure.

Hacking, meanwhile, is much less common. But attackers make off with far more patient records.

In a new study published in JAMA Internal Medicine on Monday, researchers analyzed 1,138 healthcare breaches reported to the Department of Health and Human Services between 2009 and 2017. Two-thirds of those incidents were the result of theft—typically by an outsider or unknown party—or unauthorized disclosure, such as mailing mistakes that inadvertently disclosed sensitive information.


2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

Hacking was far less common, accounting for just 20% of reported incidents. But hackers took 133.8 million patient records, more than half of the total patient records impacted during the nine-year span. Theft and unauthorized disclosures accounted for 42.5 million records combined.

RELATED: JAMA study examines variation in type, extent of health data breaches over time

“Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” the researchers from Michigan State University and Johns Hopkins Carey Business School wrote.

RELATED: Anthem pays record $16M settlement to HHS for 2015 data breach

The researchers used detailed breach descriptions published by HHS in March to confirm categorizations reported by each company and differentiate cases that involved paper or electronic records. Just over half were attributable to the organization’s own mistakes or neglect, and most breaches were located on mobile devices.

“Common corrective actions included encrypting and restricting the use of mobile devices when the breached PHI had been stored in those devices; digitizing PHI and enhancing the safety of the storage facility in which paper records were stored; and monitoring or auditing access to and strengthening firewalls for network servers or the cloud,” the researchers wrote.

Suggested Articles

What are some of the biggest challenges for independent medical practices?

Researchers at two universities plan to develop an autonomous trauma care system that uses robotics and artificial intelligence to treat soldiers.

A change to the government’s voluntary bundled payment model for oncology is going to be bad news for many participants.