Researchers at Michigan State University and John Hopkins University have released a report containing their analysis of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) between October 2009 and December 2017. The report found that 53% of breaches occurred due to internal causes.
The study, entitled “Evaluation of Causes of Protected Health Information Breaches” was published in JAMA Internal Medicine The research, and the research was carried out by Xuefeng “John” Jiang, Michigan State University associate professor of accounting and information systems, and Ge Bai, associate professor at the John’s Hopkins Carey Business School. The paper covered over a thousand reported healthcare breaches, affecting 164 million patients in total. It should be noted that, as OCR does not publish summaries of breaches of fewer than 500 records, the data is skewed to more accurately reflect large breaches.
Previous work had been done to analyse the types of hospitals which were most prone to data breaches, but there was information about the main causes of the breaches. A thorough understanding of how data breaches occur may help those in the healthcare industry mitigate the risk of future incidents.
The OCR breach reports split data breaches into six categories; hacking/IT incidents, unauthorized access/disclosure incidents, theft, loss, improper disposal, and unknown. Approximately 77.6% of breaches were correctly classified and 22.24% were misclassified or the cause was unknown.
The breakdown of correctly classified data breaches is as follows:
Cause |
Internal Breaches (%) |
External Breaches (%) |
Total (%) |
Theft |
9 |
33 |
42 |
Unauthorised Disclosure |
25 |
0 |
25 |
Hacking/IT Incident |
9 |
12 |
21 |
Loss |
7 |
3 |
10 |
Improper Disclosure |
3 |
0 |
3 |
Total |
53 |
47 |
Internal/external hacking incidents gain a great deal of media coverage, and for good reason. Although only accounting for 21% of breaches, nearly 134 million of all records compromised were done so in hacking incidents. There may be fewer individual events, but each one may affect millions of patients. Hospitals and other medical facilities prove lucrative targets for hackers due to the high black-market value of medical data.
Internal breaches account for 53% of all breaches. This figure highlights the important of the technical, administrative, and physical safeguards that should be in place to secure data from accidental or deliberate breaches caused by staff members. Guidelines about these safeguards are detailed in HIPAA’s Security Rule. Thorough training programs should be implemented across the healthcare industry to ensure that employees are familiar with their responsibilities under HIPAA and are familiar with the consequences should they fail to protect the integrity of PHI.
“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” said Xuefeng Liang, associate professor of accounting and information systems at MSU’s Eli Broad College of Business and lead author of the study. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”
An analysis of the location of breached PHI showed 46.1% of breaches involved mobile devices, paper records were involved in 28.7% of breaches and 29.3% of breaches involved network servers.
The report stressed the importance of adopting new policies and developing best practices to ensure that the risk of breaches is at a minimum, and that if breaches do occur, they are dealt with efficiently. The use of encryption software, restricting the use of mobile devices, switching to digital records, improving physical security, strengthening firewalls and other cybersecurity protections, and enhancing monitoring and auditing are all highlighted as precautions that should be considered by those in the healthcare industry.
“Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security,” explained the researchers in the paper.
Breaches vary in severity. It is possible that many of the accidental disclosure incidents were on a small scale; one patient’s data may have been shown to one other person who didn’t have authorisation to see the records. Hacking and IT incidents are generally on a larger and more dangerous scale; Anthem Inc’s 78.8 million record breach in 2015 was used as an example. Many breach victims had tax returns filed in their names, resulting in financial losses.
The breach was not only a disaster for patients, but for Anthem too. The immediate aftermath of the breach came with considerable cost; improving cybersecurity protections; hiring forensic investigators, cybersecurity consultants, and legal advisors; printing and mailing notification letters; providing credit monitoring services for breach victims. In addition to this, Anthem had to cover the cost of defending multiple class action lawsuits, which were ultimately settled for $115 million.
Anthem has also recently been fined $16 million by OCR to resolve the HIPAA violations uncovered during its breach investigation. Anthem’s reputation has also been tarnished by the breach, the cost of which is difficult to calculate.
The paper emphasises the importance of understanding the causes of breaches at all levels, and urges those in the healthcare industry to re-evaluate their ability to maintain the integrity of sensitive patient data.