0
We're unable to sign you in at this time. Please try again in a few minutes.
Retry
We were able to sign you in, but your subscription(s) could not be found. Please try again in a few minutes.
Retry
There may be a problem with your account. Please contact the AMA Service Center to resolve this issue.
Contact the AMA Service Center:
Telephone: 1 (800) 262-2350 or 1 (312) 670-7827  *   Email: subscriptions@jamanetwork.com
Error Message ......
Research Letter |

Data Breaches of Protected Health Information in the United States FREE

Vincent Liu, MD, MS1; Mark A. Musen, MD, PhD2; Timothy Chou, PhD3
[+] Author Affiliations
1Kaiser Permanente Division of Research, Oakland, California
2Stanford Center for Biomedical Informatics Research, Stanford, California
3Department of Computer Science, Stanford University, Stanford, California
JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252.
Text Size: A A A
Published online

Reports of data breaches have increased during the past decade.1,2 Compared with other industries, these breaches are estimated to be the most costly in health care; however, few studies have detailed their characteristics and scope.1

We evaluated an online database maintained by the US Department of Health and Human Services describing data breaches of unencrypted protected health information (ie, individually identifiable information) reported by entities (health plans and clinicians) covered under the Health Insurance Portability and Accountability Act (HIPAA).3 Under the Health Information Technology for Economic and Clinical Health Act of 2009, breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.4

When data breaches affect 500 individuals or more, the report must include the name and state of the entity breached, the number of records affected, the type and source of the breach, and the involvement of any external vendor using protected health information. Examples include the theft of unsecured laptops, dissemination of data in emails, and improper disposal of patient records. Reports are made online via form templates.3

We included breaches affecting 500 individuals or more reported as occurring from 2010 through 2013, accounting for 82.1% of all reports.3 We quantified the frequency and geographic locations of breaches, adjusting for 2013 population estimates from the US Census Bureau.

Based on categorical templates, we grouped breaches as occurring via theft, loss or improper disposal of data, unauthorized data access or disclosure, hacking or information technology incidents, or other and missing (n = 2). We described the media through which breaches occurred as electronic (including network server; desktop computer, email, and electronic medical records; or laptop computer and electronic portable devices), paper, or other.

We compared annual data with χ2 tests and linear regression using Stata version 13.1 (StataCorp) with a 2-sided significance level of P < .05. The Kaiser Permanente Northern California institutional review board determined that this study did not qualify as human subjects research.

We evaluated 949 breaches affecting 29 million records between 2010 and 2013. Six breaches involved more than 1 million records each and the number of reported breaches increased over time, although the trend using linear regression did not reach statistical significance (P = .07; Table). Breaches were reported in every state, the District of Columbia, and Puerto Rico. Five states (California, Texas, Florida, New York, and Illinois) accounted for 34.1% (95% CI, 31.2%-37.2%) of all breaches. However, when adjusted by population estimates, the states with the highest adjusted number of breaches and affected records varied (Figure).

Table Graphic Jump LocationTable.  Characteristics of Data Breaches of Protected Health Information Affecting at Least 500 Individuals Reported by Entities Covered by the Health Insurance Portability and Accountability Act
Place holder to copy figure label and caption
Figure.
Adjusted Number of Data Breaches and Affected Records Between 2010 and 2013 by State and Quartile

Adjusted values were calculated by dividing the number of breaches and the affected records by 2013 population estimates from the US Census Bureau based on the state in which the breach was reported. The data quartiles are per 100 000 residents. The Figure does not display data for Hawaii, Alaska, or Puerto Rico.

Graphic Jump Location

Most breaches occurred via electronic media (67.4%; 95% CI, 64.4%-70.4%; Table), frequently involving laptop computers or portable electronic devices (32.7%; 95% CI, 29.7%-35.7%). Most breaches also occurred via theft (58.2%; 95% CI, 55.0%-61.3%). The combined frequency of breaches resulting from hacking and unauthorized access or disclosure increased during the study period (12.1% in 2010 to 27.2% in 2013; P = .003). Breaches involved external vendors in 28.8% (95% CI, 25.9%-31.7%) of reports.

Between 2010 and 2013, data breaches reported by HIPAA-covered entities involved 29 million records. Most data breaches resulted from overt criminal activity. The persistent threat of theft and the increase in hacking raise serious security concerns.

Our study was limited to breaches that were already recognized, reported, and affecting at least 500 individuals. Therefore, our study likely underestimated the true number of health care data breaches occurring each year. Some entities or patients may have been involved in more than 1 breach.

We were unable to assess the costs or the effect on operations caused by these breaches and the accompanying increased data security measures. We were also unable to calculate the rates at which breaches occurred based on the number of total US records or entities at risk.

Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services provided by vendors supporting predictive analytics, personal health records, health-related sensors, and gene sequencing technology, the frequency and scope of electronic health care data breaches are likely to increase.2,5,6 Strategies to mitigate the risk and effect of these data breaches will be essential to ensure the well-being of patients, clinicians, and health care systems.

Section Editor: Jody W. Zylke, MD, Deputy Editor.

Corresponding Author: Vincent Liu, MD, MS, Kaiser Permanente Division of Research, 2000 Broadway, Oakland, CA 94612 (vincent.x.liu@kp.org).

Author Contributions: Dr Liu had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.

Study concept and design: All authors.

Acquisition, analysis, or interpretation of data: Liu.

Drafting of the manuscript: Liu.

Critical revision of the manuscript for important intellectual content: All authors.

Statistical analysis: Liu.

Obtained funding: Liu.

Administrative, technical, or material support: Musen.

Study supervision: Chou.

Conflict of Interest Disclosures: The authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest and none were reported.

Funding/Support: Dr Liu was supported by the Permanente Medical Group and grant K23 GM112018 from the National Institutes of Health.

Role of the Funder/Sponsor: The sponsors had no role in the design and conduct of the study; collection, management, analysis, and interpretation of the data; and preparation, review, or approval of the manuscript, and decision to submit the manuscript for publication.

Correction: This article was corrected on May 21, 2015, to fix wording and data errors in the text and Table.

Symantec Corporation. 2013 Cost of data breach study: global analysis. https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Accessed December 8, 2014.
Blumenthal  D.  Wiring the health system—origins and provisions of a new federal program. N Engl J Med. 2011;365(24):2323-2329.
PubMed   |  Link to Article
US Department of Health and Human Services Office for Civil Rights. Breaches affecting 500 or more individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed December 4, 2014
45 CFR Parts 160 and 164.
Schneeweiss  S.  Learning from big health care data. N Engl J Med. 2014;370(23):2161-2163.
PubMed   |  Link to Article
Adler-Milstein  J, Jha  AK.  Sharing clinical data electronically: a critical challenge for fixing the health care system. JAMA. 2012;307(16):1695-1696.
PubMed   |  Link to Article

Figures

Place holder to copy figure label and caption
Figure.
Adjusted Number of Data Breaches and Affected Records Between 2010 and 2013 by State and Quartile

Adjusted values were calculated by dividing the number of breaches and the affected records by 2013 population estimates from the US Census Bureau based on the state in which the breach was reported. The data quartiles are per 100 000 residents. The Figure does not display data for Hawaii, Alaska, or Puerto Rico.

Graphic Jump Location

Tables

Table Graphic Jump LocationTable.  Characteristics of Data Breaches of Protected Health Information Affecting at Least 500 Individuals Reported by Entities Covered by the Health Insurance Portability and Accountability Act

References

Symantec Corporation. 2013 Cost of data breach study: global analysis. https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Accessed December 8, 2014.
Blumenthal  D.  Wiring the health system—origins and provisions of a new federal program. N Engl J Med. 2011;365(24):2323-2329.
PubMed   |  Link to Article
US Department of Health and Human Services Office for Civil Rights. Breaches affecting 500 or more individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed December 4, 2014
45 CFR Parts 160 and 164.
Schneeweiss  S.  Learning from big health care data. N Engl J Med. 2014;370(23):2161-2163.
PubMed   |  Link to Article
Adler-Milstein  J, Jha  AK.  Sharing clinical data electronically: a critical challenge for fixing the health care system. JAMA. 2012;307(16):1695-1696.
PubMed   |  Link to Article
CME
Also Meets CME requirements for:
Browse CME for all U.S. States
Accreditation Information
The American Medical Association is accredited by the Accreditation Council for Continuing Medical Education to provide continuing medical education for physicians. The AMA designates this journal-based CME activity for a maximum of 1 AMA PRA Category 1 CreditTM per course. Physicians should claim only the credit commensurate with the extent of their participation in the activity. Physicians who complete the CME course and score at least 80% correct on the quiz are eligible for AMA PRA Category 1 CreditTM.
Note: You must get at least of the answers correct to pass this quiz.
Please click the checkbox indicating that you have read the full article in order to submit your answers.
Your answers have been saved for later.
You have not filled in all the answers to complete this quiz
The following questions were not answered:
Sorry, you have unsuccessfully completed this CME quiz with a score of
The following questions were not answered correctly:
Commitment to Change (optional):
Indicate what change(s) you will implement in your practice, if any, based on this CME course.
Your quiz results:
The filled radio buttons indicate your responses. The preferred responses are highlighted
For CME Course: A Proposed Model for Initial Assessment and Management of Acute Heart Failure Syndromes
Indicate what changes(s) you will implement in your practice, if any, based on this CME course.

Multimedia

Some tools below are only available to our subscribers or users with an online account.

6,171 Views
3 Citations
×

Related Content

Customize your page view by dragging & repositioning the boxes below.

See Also...
Articles Related By Topic
Related Collections
PubMed Articles
Clearing the HIPAA Cobwebs. J AHIMA 2015;86(4):36-9.
How Secure are Your Patient Records? N Y State Dent J 2016;82(1):4-8.
Jobs