Photo courtesy of NIH
A new study suggests data breaches of protected health information are on the rise in the US.
Researchers found that, between 2010 and 2013, there were data breaches affecting approximately 29 million records of health information covered
under the Health Insurance Portability and Accountability Act (HIPAA).
Breaches were reported in every state, tended to occur via electronic media, and largely resulted from overt criminal activity.
Vincent Liu, MD, of the Kaiser Permanente Division of Research in Oakland, California, and his colleagues published these findings in JAMA.
The researchers evaluated an online database maintained by the US Department of Health and Human Services that describes data breaches of unencrypted, protected health information (ie, individually identifiable information) reported by entities (health plans and clinicians) covered under HIPAA.
The team included breaches affecting 500 individuals or more that were reported as occurring from 2010 through 2013, accounting for 82% of all reports.
The research revealed 949 breaches affecting 29.1 million records. Six breaches involved more than 1 million records each.
The number of reported breaches increased over time, from 214 in 2010 to 265 in 2013.
Breaches were reported in every state, the District of Columbia, and Puerto Rico. Five states (California, Texas, Florida, New York, and Illinois) accounted for 34% of all breaches. However, when adjusted by population estimates, the states with the highest adjusted number of breaches and affected records varied.
Most breaches occurred via electronic media (67%), frequently involving laptop computers or portable electronic devices (33%). Most breaches also occurred via theft (58%).
The combined frequency of breaches resulting from hacking and unauthorized access or disclosure increased during the study period, from 12% in 2010 to 27% in 2013. Breaches involved external vendors in 29% of reports.
The researchers noted that this study was limited to breaches that were already recognized, reported, and affected at least 500 individuals. Therefore, the team likely underestimated the true number of healthcare data breaches occurring in the US each year.
