Little progress made in the prevention of medical data breaches

Published: January 1, 2013 by Michael Bruemmer

Since stricter regulations were imposed in 2009, the healthcare industry’s track record on patient data protection and security has made very little improvement according to the latest study from Health Information Trust Alliance (HITRUST)1.  The study reports that from 2009 to the first half of 2012, there have been 495 medical data breaches involving 21 million records costing roughly $4 billion.  Government organizations including VA hospitals accounted for the highest number of lost records and the states with the most health care data breaches are California, Texas and New York.  Since 2009 the total number of data breaches at hospitals and health systems decreased only slightly but increased at smaller private physician practices, which accounted for more than 60% of the 459 breaches reviewed in the study.

 The report also found that the majority of breaches (70 percent) were electronic and the leading cause data breach incidents were due to stolen devices such as laptops and mobile media.  However, paper records still play a role in data breaches, totaling 24 percent of medical data breaches, second only to lost laptops.  Mailing errors and improper disposal of records were the main reasons for paper-based breaches. 

The Health Information Technology for Economic and Clinical Health (HITECH) Act states that healthcare organizations have 60 days in which to notify victims about a data breach but over 50 percent of companies failed to meet this deadline after a breach.

And it may get worse before it gets better if the medial industry does not find a way to protect themselves from BYOD (bring your own device) policies.  BYOD has become commonplace at smaller physician offices where medical personnel commonly look up patient information on their own smartphones without sufficient encryption or passwords in place which could pose a problem in the event that the device is lost.  In addition, due to the smaller sizes of this group, they lack the resources and awareness to properly arm themselves with the proper data breach protection in all areas of their practice.  This could expose a larger problem for the entire healthcare industry since community health records and health information is often shared between medical institutions of all sizes. 

1 HITRUST is a non-profit coalition of healthcare, business, technology and information security leaders, established to insure information security is a core value in the broad adoption of health information systems and exchanges.