(Reuters Health) – Large-scale health data breaches reported by doctors and health plans have been rising steadily, a new report shows.
From 2010 to 2013, nearly 1000 large breaches affected more than 29 million individual health records, and more than half resulted from theft or loss of laptops, thumb drives and paper records, according to researchers with access to government data.
Hacking incidents more than doubled during those years but still represented less than a third of all breaches.
“While electronic data security and privacy is not a problem that is unique to healthcare, individually identifiable health data cannot be easily reset or changed once it has been compromised like credit card information can, for example,” said lead author Dr. Vincent Liu of the Kaiser Permanente Division of Research in Oakland, California.
“Electronic health records and other emerging technologies for using health data have great potential to improve the delivery of high-value healthcare, however, we must ensure that our patients’ data remains secure,” Liu told Reuters Health by email.
He and his coauthors analyzed the U.S. Department of Health and Human Services database of breaches of unencrypted health information reported by Health Insurance Portability and Accountability Act (HIPAA) covered entities. They only included breaches affecting at least 500 individuals, and where the information could be traced back to individual patients.
Between 2010 and 2013, there were 949 of these large unauthorized acquisitions, accesses, uses or disclosures, involving more than 29 million records.
The yearly number of breaches rose from 214 in 2010 to 236 in 2011, 234 in 2012 and 265 in 2013.
Most involved electronic health records, and a third involved laptop computers or portable electronic devices.
These numbers, published in the Journal of the American Medical Association, only include breaches that were recognized, reported and affected at least 500 records, so they likely underestimate the true number occurring each year.
“We found that as many as 30 million records were compromised in a four-year span,” Liu said. “If each of these represented records from a unique patient, it could suggest that as many as 1 of every 11 Americans’ healthcare data has been compromised.”
Hacking increased over the study period, from 12 percent to 27 percent of incidents. But the physical theft of unsecure paper or electronic records accounted for 55 percent of breaches.
“Thus, while hacking represents a serious threat to the security of healthcare data, improved cybersecurity alone is not a panacea for our data security problems,” Liu said.
Many breaches occur due to inadequate practices, like failure to encrypt data, or providers loading data onto thumb drives and carrying them around outside of the healthcare setting, said Dr. David Blumenthal of The Commonwealth Fund in New York, who co-authored an editorial about the results.
“A lot of that is about changing behavior of healthcare institutions and providers,” Blumenthal told Reuters Health by phone.
Concerned patients can ask at the reception desk of their doctor’s office or hospital about what security measures are taken with their health information, he said.
“I don’t think that people will necessarily understand what is said to them or that the responses will be accurate, but knowing that people care creates an immensely powerful force for change,” Blumenthal said.
People may be getting better at recognizing and reporting data leaks, which would explain their apparent increase over time, he said.
The breaches all incur federal penalties, but the penalties are not sufficient or stringent enough, he said.
Electronic health records do have tremendous value, however, Liu said.
“Leveraging information through technology, including electronic health records (EHRs) means that doctors in hospitals have access to full health records where and when they need them and . . . have all of the information about all of the patients all of the time,” he said.
“So there are benefits as well as risks that healthcare providers and others will need to continue to address in the new age,” Liu said.
SOURCE: bit.ly/1c9i5E4 JAMA, April 14, 2015.