More than half of personal healthcare information (PHI) data breaches in recent history can be traced back to healthcare providers themselves rather than hackers or external parties, researchers reported in JAMA Internal Medicine.
The Nov. 19 paper, authored by John (Xuefeng) Jiang, PhD, and Ge Bai, PhD, CPA, of Michigan State University and Johns Hopkins Carey Business School, respectively, expands on troubling research initially published in 2017. That study, headed by the same team, identified nearly 1,800 PHI data breaches in the U.S. over seven years, with 33 hospitals experiencing more than one substantial breach.
“A fundamental tradeoff exists between data security and data access,” Jiang and Bai wrote at the time. “Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes ‘zero breach’ an extremely challenging objective.”
The pair extended their research in their latest study, reviewing nearly 1,150 cases logged by the U.S. Department of Health and Human Services (HHS) between 2009 and 2017. When a hospital or practice experiences any kind of data breach, they’re required to report it to HHS and classify what they believe to be the cause—either theft, unauthorized access, hacking or IT, loss, improper disposal or “other.”
After assessment, Jiang and Bai found 53 percent of PHI breaches were the result of internal factors within hospitals—anything from sending the wrong email to physically taking PHI out of the institution. The major causes of breaches were theft by outsiders (32.5 percent), disclosing PHI through employee mailing mistakes (10.5 percent) and theft by former or current employees (9 percent).
Hacking and IT incidents were the root of just 6.2 percent of data breaches, the authors said, noting 603 PHI breaches in total “were internal, attributable to the healthcare entities’ own mistakes or neglect.”
The majority of data breaches were located in mobile devices, while around 30 percent affected paper records and another 30 percent affected network servers.
“Different storage locations and communication channels have different PHI breach risks,” Jiang and Bai wrote. “Adopting common corrective actions has the potential to mitigate these risks.”
The authors said their results might not be generalizable to smaller data breaches, since they only included incidents affecting 500 patients or more.
“Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the tradeoff between wider access or higher efficiency and more security,” they wrote.
After graduating from Indiana University-Bloomington with a bachelor’s in journalism, Anicka joined TriMed’s Chicago team in 2017 covering cardiology. Close to her heart is long-form journalism, Pilot G-2 pens, dark chocolate and her dog Harper Lee.