Health data breaches on the rise

(Reuters Health) - Health data breaches are on the rise, a new study shows.

While the largest number of data breaches occurred at health care providers’ sites - such as hospitals and physicians’ offices - it’s health care plans that account for the greatest number of patient records stolen over the past seven years, according to the study published in JAMA.

“The climb in the total number of records breached is primarily attributable to very large breaches of electronic systems,” said study leader Dr. Thomas McCoy, an assistant professor of psychiatry and medicine at Harvard University and director of research for the Center for Quantitative Health at Massachusetts General Hospital in Boston.

And while large centralized databases offer health researchers a goldmine of records that can be used to improve healthcare, you have “to balance the risks (of being hacked) against the benefits to research,” McCoy said.

McCoy and his coauthor analyzed all data breaches that were reported to the Office of Civil Rights at the U.S. Department of Health and Human Services from January 2010 through December 2017. The researchers looked at trends in the numbers and types of breaches reported in three categories: those taking place at health care providers, at health plans and at businesses associated with healthcare.

The analysis turned up 2,149 breaches involving a total of 176.4 million patient records, with individual breaches ranging from 500 to nearly 79 million patient records. During the seven-year period, the total number of breaches increased every year except for 2015, starting at 199 in 2010 and rising to 344 in 2017.

While 70 percent of all breaches involved data stored by health care providers, the breaches involving data kept by health plans accounted for 63 percent of all stolen records.

The researchers found that 510 breaches involved paper and film records, which impacted about 3.4 million patients, as compared to 410 breaches of network servers that impacted nearly 140 million records. The three largest breaches together accounted for more than half of the stolen records.

Why would thieves want your health data?

“There’s financial data embedded in health data - your name, your address, your social security number,” said Chris Carmody, senior vice president of infrastructure and services and president of ClinicalConnect Health Information Exchange at the University of Pittsburgh Medical Center in Pennsylvania. “With that information someone could go out and get a credit card account. Or a criminal could go out and sell it on the dark web, the shady part of the internet where identities are sold and traded.”

Healthcare-related organizations have become a more interesting target as they have increasingly adopted digital records, said Carmody, who is not affiliated with the new research. “They’re going after the easiest target and unfortunately healthcare has that stigma,” he said. “The benefit of this research paper is that it highlights cyber security threats. It will probably happen to most organizations at one point or another and maybe even multiple times.”

While the risk of theft is real, Carmody doesn’t suggest doing away with electronic records. “They empower patients,” he explained. “So the message shouldn’t be to ask your doctors to stop using electronic records, but rather to ask what they are doing to protect your data.”

Theoretically, it’s also possible that thieves could try to sell health data to employers wanting yet another source of information on prospective hires, said Michael Pencina, vice dean for Data Science and Information Technology at the Duke University School of Medicine in Durham, North Carolina.

Still, the risks are small compared to the benefits that are already accruing from big health data, said Pencina, who is not affiliated with the new research. With a huge source of information on various diseases, researchers can devise new treatments and tests, he added.

Access to a large number of scans, for example, can help scientists “teach” computers to spot diseases “with accuracy that matches or exceeds what a human can achieve,” Pencina said.

With this kind of data, “the potential is huge,” Pencina said.

SOURCE: Journal of the American Medical Association, online September 25, 2018.