- Since 2010, the total number of healthcare data breaches has increased steadily every year — except in 2015 — from 199 in 2010 to 344 in 2017, according to an analysis of US health care data conducted by two Massachusetts General Hospital (MGH) physicians.
While 70 percent of all breaches took place at health care providers, breaches involving health plans accounted for 63 percent of all breached records. In fact, health plans accounted for the greatest number of patient records breached over the study period.
Their analysis covered 2,149 reported breaches involving 176.4 million patient records, with individual breaches ranging from 500 to almost 79 million patient records. Their report examined changes in healthcare data breaches during a period when EHRs were being widely adopted.
“While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said MGH Center for Quantitative Health Director of Research Thomas McCoy.
In 2010, the most common type of healthcare data breach was theft of physical records, but by 2017 hacking or other IT incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data.
The most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers, the study found.
“While the total of 510 breaches of paper and film records impacted about 3.4 million patient records, the 410 breaches of network servers impacted nearly 140 million records; and the three largest breaches together accounted for a bit more than half of all records breached,” said McCoy, who was the lead author of the study.
“As we work to make breaches less common and less consequential, we need to better understand systemic risk factors for data breach and the harms that arise from data disclosure,” he added.
Healthcare Data Breaches Can Lead to HIPAA Fines
Unfortunately for healthcare organizations, data breaches can lead to hefty HIPAA fines. Earlier this month, UMass Memorial agreed to pay $230,000 for HIPAA violations for healthcare data breaches that exposed PHI on more than 15,000 Massachusetts residents, while New York-based Arc of Erie County agreed to part with $200,000 for a HIPAA violation in which PHI on 3,751 clients was exposed.
In February of this year, Fresenius Medical Care North America was hit with a $3.5 million HIPAA fine. OCR accused Fresenius Medical Care North America, a dialysis provider that also runs labs, urgent care centers, and post-acute practices, of HIPAA violations on five different occasions at separate facilities.
Also in February, a company that was appointed as a receiver to liquidate the assets of Filefax, a medical records storage firm that went out of business in 2017, agreed to pay a $100,000 HIPAA settlement. OCR had been investigating a complaint against Filefax from 2015, when 2,150 medical records were reportedly left at a shredding and recycling facility.
After years in court, the University of Texas MD Anderson Cancer Center was ordered by an HHS Administrative Law Judge to pay $4.3 million in fines for various HIPAA violations.
OCR alleged that MD Anderson failed to encrypt its inventory of devices that handled and held PHI, which lead to the exposure of PHI on more than 33,500 individuals when a laptop was stolen and two thumb drives were lost in 2012 and 2013.
OCR investigated MD Anderson following the three data breaches and found that it had encryption policies dating from 2006 and that its own risk analyses had found that the lack of device-level encryption posed a high risk to patient data.
However, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of PHI until 2011, and it failed to encrypt its inventory of electronic devices containing PHI between March 24, 2011, and January 25, 2013.
Last year, OCR levied $19.4 million in HIPAA fines, and the previous year it assessed $23.5 milllion in HIPAA fines.
For healthcare organizations, not securing patient data can be expensive in terms of damaged reputation, remediation expenses, regulatory fines, and possible lawsuits.