It seems like every week we're hearing about a new data breach involving a hospital, doctor's office or health insurance provider. Not surprisingly, a new report has revealed a growing trend of HIPAA data breaches, affecting approximately 29 million medical records between 2010 and 2013.
Vincent Liu, MD, MS, of Kaiser Permanente’s Division of Research, and his team of colleagues closely analyzed the public databases of the Department of Health and Human Services to determine exactly how many breaches of unencrypted Protected Health Information (PHI) occurred. Rather than evaluating each and every HIPAA data breach, however, (which would probably be near-impossible), they focused strictly on those involving 500 or more patients during a 3-year period.
In total, Liu discovered 949 data breaches involving 500 or more patients between 2010 and 2013. These breaches accounted for a jaw-dropping 29.1 million disclosed records. What's even more alarming, however, is that half a dozen of these breaches involved more than 1 million patient and/or customer records (note: this number doesn't reflect the recent Anthem, Inc. and Premera, Inc. cases).
The report found that most data breaches were “facilitated” by electronic media, such as laptops, USB flash drives, etc. And more than half (58.2%) of all the reported HIPAA data breaches were attributed to theft. It's not uncommon for doctors, nurses or other healthcare workers to have their devices stolen, at which point the thief may sell any PHI he or she finds. As noted in the Liu's report, this is an all-too-common scenario that results in the unauthorized disclosure of Protected Health Information.
“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services provided by vendors supporting predictive analytics, personal health records, health-related sensors, and gene sequencing technology, the frequency and scope of electronic health care data breaches are likely to increase. Strategies to mitigate the risk and effect of these breaches will be essential to ensure the well-being of patients, clinicians, and health care systems,” said Liu and his team of colleagues.
On a side note, more than a third of all data breaches cited in the report originated in the following states: California, Florida, Illinois, New York and Texas. HIPAA data breaches have been reported in all states, but these tend to experience the highest numbers time and time again.