Data security has never been more important for healthcare providers. The number of health data breaches continues to grow each year and 2016 is no exception, according to data from the Department of Health and Human Services. Experts say that even though the market price of healthcare data has gone down, hackers and other thieves have only become more aggressive. While large-scale data heists like those affecting Banner Health and UCLA Health are the most prominent examples, a look at the record of data breaches shows most are not the result of sophisticated cyberattacks but human error and simple theft, affecting hospitals and health systems of all sizes.
Hospital and Health System Data Breaches by Type
Source: ORC data breach portal
Under the Affordable Care Act, Health and Human Services’ Office for Civil Rights must publicly post all data breaches affecting more than 500 patients. Since 2009, the list has grown to nearly 1,700 cases. A review indicates that roughly 400 of them directly involve hospitals or health systems. Of those, theft was the primary cause. Computers, especially laptops, were often the primary target of theft, stolen from offices and employee vehicles. Theft, as a category, also affected significant numbers of patients per instance, with a median figure of slightly over 3,600. It also was more of a problem at larger hospitals, possibly because they have more devices that can potentially be stolen. Fortunately for hospitals, while some theft may be inevitable, encrypting devices that contain patient data is a simple solution that can effectively prevent breaches.
IT Operating Expense by Breach Category
*Estimated values based on Definitive Healthcare calculations
The next highest category of data breaches was unauthorized access/disclosure, representing about a fourth of all reviewed cases. While a description is not available for all of the incidents reported, many indicate the breach was the result of human error. In 2014, for instance, an employee at health system Susquehanna Health offered an excess of protected health information to an insurer in response to a claims request. And in 2013, a staff member at Baylor All Saints Medical Center at Fort Worth exposed information affecting nearly 1,000 patients when he forwarded messages from a pager as texts. Other causes were as innocuous as mislabeled addresses, though in some cases employees acted with criminal intent.
The least common type of breach was improper disposal of medical documents, numbering only five or six per year for all healthcare providers since 2010. The low frequency is not surprising given the overall transition away from paper records. Normally, hospital records are shredded and placed into secured bins, but occasionally maintenance personnel or cleaning service staff dispose of them normally, judging by the incident descriptions. In one peculiar example, a local business was found to be using shredded documents from South Sunflower County Hospital in Mississippi as packing material. Among hospitals, the breach was more prevalent among smaller facilities with fewer beds and employees.
Hacking is undoubtedly the most dangerous type of data breach and in some cases, the most difficult to prevent. While OCR data show it to be a relatively rare event, with only 39 instances at hospitals and health systems over the past six years, the attack usually leads to a far greater breach of patient data. For the 14 health systems counted, the median number of patients affected per attack exceeded 18,000, and in the case of UCLA Health, reached 4.5 million. For 21 of the 39 total cases, however, the source of the attack was a virus-infected email, phishing message, or individual computer, suggesting that better employee training could have prevented the breach. Even so, the number of hacking breaches on all healthcare providers has grown every year since the OCR begin tracking attacks and hospitals will need to keep investing in IT security and safe procedures.
Median Number of Affected Patients by Breach Type
Source: ORC data breach portal
Healthcare experts anticipate that the number of security threats will continue to increase, especially with the introduction of ransomware attacks that allow hackers to extort money quickly. In response, the OCR recently announced it would expand the scope of its investigations to include breaches affecting less than 500 patients, the normal threshold, in cases of “systemic noncompliance” with security safeguards. The move comes after recent fine increases over the past few years. For hospitals and health systems, data security can be a tough job with tough penalties for failure, but it’s an essential one in today’s electronic and data-driven healthcare environment.
Definitive Healthcare has the most up-to-date, comprehensive and integrated data on over 7,700 hospitals, 1.4 million physicians, and numerous other healthcare providers. Users can search by numerous metrics, including technology deployment and type, financial spending, and whether a facility suffered a data breach.
Not a Definitive Healthcare newsletter subscriber?
Sign up to receive our latest news and blogs right in your inboxSign up for our newsletter