Rates of health information breaches are increasing despite legal and moral obligations to protect patient information. Healthcare providers constitute a large share of these breaches, according to the results of a study published in JAMA.
The 1999 Health Insurance Portability and Accountability Act (HIPAA) and the 2009 Information Technology for Economic and Clinical Health act mandated protections for private patient data and public reporting of data breaches. Yet between 2010 and 2013 alone, data breaches involving more than 29 million patient records occurred.
Thomas H. McCoy Jr, MD, and Roy H. Perlis, MD, MSc, of the Center for Quantitative Health, Massachusetts General Hospital in Boston analyzed public data to determine the extent and nature of breaches in health information from 2010 through 2017. They downloaded all breaches posted to the US Health and Human Services Office for Human Rights during those years.
The investigators included 2149 known incidents in their analysis, covering more than 176 million health records; breaches involved a median of 2300 records. Breaches increased every year between 2010 (199 breaches) and 2017 (344 breaches), with the exception of 2015. Breaches affected 3 categories of entities: business associate, healthcare plan, and healthcare provider. Healthcare providers were the most commonly breached entity, comprising 70% of all breaches and 21% of record breaches, whereas healthcare plans involved a larger proportion of total records breached, with most being accessed through network connections.
The authors argue that although networked digital health records may “improve clinical care and facilitate learning health systems, they also have the potential to harm vast numbers of patients at once if data security is not improved.”
McCoy TH Jr, Perlis RH. Temporal trend and characteristics of reportable health data breaches, 2010-2017. JAMA. 2018;320:1282-1284.