HHS data shows 1,800 large data breaches since 2009

Register now

Nearly 1,800 large data breaches involving patient information have occurred since 2009, according to an analysis of publicly available data from the Department of Health and Human Services.

Researchers examined HHS data for the period from Oct. 21, 2009, through Dec. 31, 2016. What they found is that providers reported more than 1,200 of the reported breaches, while business associates, health plans and healthcare clearinghouses reported the remaining breaches.

In addition, 257 breaches during that time period were reported by 216 hospitals, with 33 suffering more than one breach—many of which were large, major teaching hospitals.

Results from the retrospective data analysis were recently published in the journal JAMA Internal Medicine.

However, Ge Bai, lead author of the study and assistant professor at The Johns Hopkins Carey Business School, notes that under HIPAA regulations covered entities are required to notify HHS of any breach affecting 500 or more individuals within 60 days from the discovery of the breach.

“With smaller breaches, there is no need to report,” says Bai. As a result, she contends that the HHS data does not accurately reflect the total number of breaches, which may be significantly higher. “We don’t know how many breaches actually happened in terms of the smaller ones,” according to Bai.

Also See: Public-private partnership key to countering healthcare cyber threats

John Suit, chief technology officer at data security vendor Trivalent, says the study demonstrates that data protection technology has not been able to keep up with the digitization of healthcare.

“The result is an extreme risk for patients who put their trust in healthcare organizations to address their medical concerns, but also protect their sensitive and personal information,” says Suit. “To address this, hospitals, pharmacies, assisted living facilities, insurance providers, and research institutions must strengthen their security strategy and adopt a defense-in-depth approach with multiple layers of protection.”

Suit also points out that traditional encryption is no longer enough to thwart the growing number of cyber threats. He contends that the healthcare industry “must turn to next generation solutions to protect data at the file level with encryption, shredding and secure storage, which renders personal patient data useless to unauthorized parties.”

Nonetheless, Bai makes the case that a fundamental trade-off exists between data security and data access and that “100 percent zero breaches” with “absolutely no breaches at all” is an unrealistic expectation. “All you can do is manage the risk, not eliminate it,” she concludes.

For reprint and licensing requests for this article, click here.