Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health.

The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017.

“While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study.

Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or impermissible disclosure of 176.4 million healthcare records. 75% of those records were exposed or stolen as a result of hacking or IT incidents.

While the number of hacking and IT incidents continues to increase each year, the number of theft incidents has declined by two thirds since 2010 when it was the leading cause of healthcare data breaches. This is due to healthcare organizations transitioning to electronic health records and encrypting health data stored on portable electronic devices.

In 2010, the most common location of breached health data was laptop computers followed by paper records and films. In 2017, the most common locations of breached health data were network servers and email, both of which are targeted by hackers.

The study covered healthcare providers, health plans and business associates of HIPAA covered entities. Healthcare providers experienced the most breaches (70%) over the period of study, which stands to reason given that there are many more healthcare providers than health plans in the United States. However, while there were fewer health plan data breaches – 13% of the total – they resulted in the exposure of more records – 63% of all breached records between 2010 and 2017.

“More breaches happen—for the sake of argument—in doctor’s offices, quote-on-quote ‘healthcare providers,’ but more records get lost by big insurance companies,” said McCoy.

The high number of records exposed by health plan data breaches is largely due to three health plan data breaches which resulted in the theft of 99.8 million records: The 78.8 million record breach at Anthem Inc., the 11 million record breach at Premera Blue Cross, and the 10 million record breach at Excellus Blue Cross Blue Shield. Those three breaches accounted for more than half of all exposed health records between 2010 and 2017.

The most serious healthcare data breaches involve records stored on network servers. There were 410 data breaches involving network servers over the period of study and they impacted almost 140 million patients, compared to 510 breaches involving paper/films which impacted 3.4 million patients.

“For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly,” said Roy Perlis, MD, MSc, director of the Center for Quantitative Health, and co-author of the study.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.