The world of healthcare record-keeping is inescapably digital — and therefore, inescapably vulnerable. A recently released study illustrates just how vulnerable healthcare data really is, and where the threats are highest.

Carried out by two doctors at the Massachusetts General Hospital Center for Quantitative Health, the study was published late last month in the Journal of the American Medical Association. The research analyzed more than 2,000 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (HHS-OCR) for the period between 2010 and 2017. The conclusion? That there has been a 70% increase in breaches over that time.

Study intended to “better understand the potential downsides” of EHRs for patients

Dr. Thomas McCoy Jr. is the director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and the lead author of the study. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case, the risk of data disclosure,” he told HIPAA Journal.

Health plans, business associates of HIPAA covered entities, and healthcare providers were the subjects of the study. Since providers vastly outnumber health plans, it may be no surprise that providers saw the highest number of breaches (70% of the 2,149 during the study period, versus 13% of that total due to health plan breaches). What may be surprising, however, is that health plan data breaches were responsible for the compromise of far more records overall . . . a whopping 63% of all breached healthcare records.

“More breaches happen—for the sake of argument—in doctor’s offices, quote-un-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” McCoy said.

The trend in breaches was up

Excepting 2015, every year studied saw bumps in the number of data breaches reported. There were 199 breaches in 2010 and 344 breaches in 2017. And while they may sound like modest numbers, it’s worth remembering that those breaches led to more than 175 million healthcare records being substantially compromised, including theft, disclosure without permission, loss, and exposure. Three-quarters of those records were compromised due to IT incidents or hacking events.

However, further parsing out the data provides at least one area of improvement: In 2010, theft was responsible for the majority of data breaches. But since then, the instances of theft of healthcare data has dropped by two-thirds. The study’s authors say this is thanks to the encryption of data stored on portable devices, as well as providers switching to electronic health records (EHRs).

Similarly, the most common medium for digital healthcare breaches changed over the years of the study as well. In 2010, laptops represented the highest risk for data breaches, followed by paper records and films. Seven years later, network servers and emails — vulnerable to hackers — took the top spot for most frequently compromised data.

Roy Perlis, MD, MSc, is the co-author of the study and director of the Center for Quantitative Health. He had this to say to HIPAA Journal:  “For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly.”

Three massive breaches led to 100 million records exposed

Regarding the health plan data breaches, nearly 100 million electronic health records were stolen in three breaches alone: 10 million records in the Excellus Blue Cross Blue Shield breach; 11 million in the Premera Blue Cross event; and 78.8 million in the Anthem Inc. breach. Those three events alone were responsible for over 50% of all compromised health records from 2010 to 2017.

In terms of which breaches affect the greatest number of individuals, compromised network servers take the biggest piece of the pie there. The study revealed more than 400 healthcare data breaches of network servers that exposed the information of nearly 140 million patients. In contrast, over 500 breaches of records stored on paper/film adversely affected 3.4 million people.

This article is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation. For more information/questions regarding any legal matters, please email or call 310.203.2800.