Either hackers want your health data, or companies like health insurers can’t keep that information safe.
That’s according to a new study in the Journal of the American Medical Association. The number of annual health data breaches increased 70% to 344 over the past seven years, with 75% of the breached, lost, or stolen records – 132 million – being breached by a “hacking or IT incident,” a nebulous category created by the government that doesn’t appear to distinguish malicious theft from accidental loss.
Researchers at the Massachusetts General Hospital Center for Quantitative Health reviewed over 2,000 data breaches comprising 176.4 million records that were reported to the Department of Health and Human Services between 2010 and 2017. They found that with the exception of 2015, the number of breaches increased each year. However, the number of cases where data breaches were classified as “theft” declined as electronic medical records became more common, with the number of those breaches dropping by nearly two-thirds between 2010 and 2017.
Thomas McCoy, the center’s director and the paper’s co-author, says he decided to analyze that data because he often uses electronic health records in his own research. “I think they’re an exciting opportunity to make transformational discoveries, but I wanted to better understand the risks that those data sets present to my patients,” says McCoy, who is also an assistant professor of psychiatry at Harvard Medical School
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was implemented in 2009, breaches of health information protected under HIPAA have been required to be reported to the HHS. When a breach includes 500 or more records, those breaches are tracked in a public HHS database.
The analysis looked at the three main places that process patient data and are tracked by the HHS: health care providers, health plans and “business associates,” which are essentially any organizations that have access to HIPAA-protected data but don’t provide or reimburse health care. Their study found that while health care providers experienced the most (1,503) data breaches among the three, the largest share of records breached came from health plans at 110.4 million. That would be 63% of the breached records.
“More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” McCoy says.
While “breaches” might conjure images of unnamed hackers in a shadowy room, breaches reported to the HHS could be anything from a loss of data, to improper disposal of data, to unauthorized access or disclosure.
Use of electronic medical records has been on the rise since the HITECH Act was implemented, because the law created strong incentives for doctors and hospitals to adopt them. According to some of the most recent available data in 2011, 84% of hospital emergency departments used an electronic health record system up from 46% in 2006, according to the National Hospital Ambulatory Medical Care Survey.
McCoy’s research suggests that as EHRs become more common, data breaches may continue to increase. “The reality is our patients have an expectation of confidentiality,” says McCoy. “These breaches are cases where we’ve failed to meet that expectation, so it’s good to keep track of it and know how we’re doing.”
The Department of Health and Human Services did not return a request for comment on this study.