Health plans accounted for the greatest number of patient records breached over the past seven years, according to an analysis of U.S. health care data conducted by two Massachusetts General Hospital (MGH) physicians.
Their report, published in JAMA, examined changes in data breaches during a period when electronic health records were being widely adopted across the country.
While the largest number of data breaches took place at heath care providers—hospitals, physician offices, and similar entities—breaches involving the greatest number of patient records took place at health plans.
Lead author Thomas McCoy, M.D., director of research at the MGH Center for Quantitative Health, said in a statement, “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure.”
McCoy and senior author Roy Perlis, M.D., director of the Center for Quantitative Health, analyzed all data breaches reported to the Office of Civil Rights of the U.S. Department of Health and Human Services from January 1, 2010, to December 31, 2017. They examined trends in the numbers and types of breaches reported in three categories: those taking place at health care providers, at health plans and at business associates – entities that do not provide or reimburse for health services but have legitimate access to patient data in support of plans or providers.
Protections for private patient data and mandatory public reporting of breaches of data confidentiality were established by the 1999 Health Insurance Portability and Accountability Act (HIPAA) and 2009 Health Information Technology for Economic and Clinical Health Act. Between 2010 and 2013, data breaches involving at least 29.1 million patient records were reported. The researchers surmised that the ongoing transition to electronic health records may increase such breaches, and used public data to examine the nature and extent of breaches from2010 through 2017.
The researchers’ analysis covered 2,149 reported breaches involving a total of 176.4 million patient records, with individual breaches ranging from 500 to almost 79 million patient records. Over the seven-year period, the total number of breaches increased every year (except in 2015) from 199 in 2010 to 344 in 2017.
During that seven-year period, almost three out of four breaches occurred at healthcare providers, as 1,503 breaches took place at healthcare providers, or 70 percent of all breaches. In those breaches, 37.1 million records were compromised (21 percent of all breached records).
However, breaches involving health plans accounted for 63 percent of all breached records, or 110.4 million records. There were fewer total breaches at health plans during that seven-year period, with 278 breaches, or 13 percent of all breaches.
Business associates accounted for 28.7 million records breached, or 16 percent of all records breached.