Health plans accounted for the greatest number of patient records breached over the past seven years, according to an analysis of U.S. health care data conducted by two Massachusetts General Hospital (MGH) physicians.
Their report, published in JAMA, examined changes in data breaches during a period when electronic health records were being widely adopted across the country.
While the largest number of data breaches took place at heath care providers—hospitals, physician offices, and similar entities—breaches involving the greatest number of patient records took place at health plans.
Lead author Thomas McCoy, M.D., director of research at the MGH Center for Quantitative Health, said in a statement, “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure.”
McCoy and senior author Roy Perlis, M.D., director of the Center for Quantitative Health, analyzed all data breaches reported to the Office of Civil Rights of the U.S. Department of Health and Human Services from January 1, 2010, to December 31, 2017. They examined trends in the numbers and types of breaches reported in three categories: those taking place at health care providers, at health plans and at business associates – entities that do not provide or reimburse for health services but have legitimate access to patient data in support of plans or providers.
Protections for private patient data and mandatory public reporting of breaches of data confidentiality were established by the 1999 Health Insurance Portability and Accountability Act (HIPAA) and 2009 Health Information Technology for Economic and Clinical Health Act. Between 2010 and 2013, data breaches involving at least 29.1 million patient records were reported. The researchers surmised that the ongoing transition to electronic health records may increase such breaches, and used public data to examine the nature and extent of breaches from2010 through 2017.
The researchers’ analysis covered 2,149 reported breaches involving a total of 176.4 million patient records, with individual breaches ranging from 500 to almost 79 million patient records. Over the seven-year period, the total number of breaches increased every year (except in 2015) from 199 in 2010 to 344 in 2017.
During that seven-year period, almost three out of four breaches occurred at healthcare providers, as 1,503 breaches took place at healthcare providers, or 70 percent of all breaches. In those breaches, 37.1 million records were compromised (21 percent of all breached records).
However, breaches involving health plans accounted for 63 percent of all breached records, or 110.4 million records. There were fewer total breaches at health plans during that seven-year period, with 278 breaches, or 13 percent of all breaches.
Business associates accounted for 28.7 million records breached, or 16 percent of all records breached.
The study also indicates changing trends over time with the adoption of EHRs and digital technology, as the most common type of breach in 2010 was theft of physical records. By 2017 data hacking or other information technology incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data, according to the study.
Similarly, the most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers.
“While the total of 510 breaches of paper and film records impacted about 3.4 million patient records, the 410 breaches of network servers impacted nearly 140 million records; and the three largest breaches together accounted for a bit more than half of all records breached,” McCoy said. “As we work to make breaches less common and less consequential, we need to better understand systemic risk factors for data breach and the harms that arise from data disclosure.”
Furthermore, during this seven-year period, there also were increases in hacking or information technology (IT) incidents and unauthorized access, which both surpassed theft by 2016.
Perlis said in a statement, “For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly."
McCoy is an assistant professor of Psychiatry and Medicine, and Perlis is a professor of Psychiatry at Harvard Medical School.