Health Data Breaches Exposed 1 in 10 Americans Since 2009

By Roy Maurer Jul 10, 2014

Over 1,000 large health data breaches by health care providers and affiliated vendors involving 500 or more individuals have been reported to the government since 2009.

The medical records exposed in those breaches have affected nearly 31.7 million Americans, or roughly 10 percent of the population, according to the Department of Health and Human Services (HHS).

A total of 1,026 breaches have been reported to the HHS Office for Civil Rights since the federal reporting requirement went into effect in September 2009.

In addition to large reported breaches, there have been approximately 116,000 reported breaches involving the records of fewer than 500 individuals through March 2013, according to the most recent data available.

“The health care industry is arguably the most heavily regulated in the area of privacy and data security, and this statistic demonstrates why,” said Al Saikali, a partner and co-chair of Shook Hardy & Bacon’s Data Security and Data Privacy Practice Group, based in Miami. Saikali explained that the high rate of exposure is due in large part to the proliferation of electronic medical records and the need to exchange and make those records available quickly from one provider to another, and between providers and their vendors. “With so many hands on a medical record and the copies of the medical record, there are plenty of opportunities for unauthorized access or acquisition of those records,” he said.

Health care providers have worked hard to comply with the Health Insurance Portability and Accountability Act (HIPAA) security rule that requires implementation of administrative, technical and physical safeguards to secure protected health information, Saikali said. But these companies still face significant risks in collecting, using, storing and disposing of protected health information, with issues ranging from employee misuse of data and computer theft to web-based and photocopier breaches.

“While most health care providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes,” remarked Rose Willis, a Detroit-based attorney with Dickinson Wright PLLC.

Willis is referring to the largest ever settlement for a single breach case reached in May 2014 when New York-Presbyterian Hospital and Columbia University agreed to pay $4.8 million for compromising 6,800 patient records. The organizations also agreed to implement a corrective action plan to include risk analysis and management, staff training, and organizational policy and procedure reforms.

The investigation revealed that the breach was caused when a physician employed by Columbia attempted to deactivate a personally owned computer server on the network containing the hospital’s patient data. The deactivation of the server and a lack of technical safeguards resulted in protected health information being accessible on the Internet.

In addition to the disclosure of medical records, the investigation found that neither the hospital nor the university had made efforts prior to the breach to secure the server. Additionally, HHS determined that neither entity had conducted an accurate and thorough risk analysis that would have identified all systems that access the hospital’s data. Lastly, the hospital failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

Under the HIPAA security rule, most health care providers are required to conduct a risk analysis of their IT equipment and implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation, said Willis. “Whenever a change is made to a health care provider’s IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of [data] as a result of the change. Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it.”

The number of HHS enforcement actions and the penalties sought by HHS have increased over time, said Saikali. “HHS realizes that medical records are proliferating and they want to motivate providers and their vendors to implement the required safeguards to protect that information.”

American Medical Association Board President Robert Wah, M.D., told Politico that insurers and medical facilities should prepare themselves for another supersized criminal breach similar to the one that hit Target between November and December 2013.

“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” Wah said. “They’re seeking health records not because they’re curious about a celebrity’s blood type or medication lists or health problems,” he added. “They’re seeking health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number.”

The FBI also recently recommended that major health care companies invest more in cybersecurity.

“The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI notice stated.

So what can companies do to secure their protected health information?

“Having policies that govern the proper use and disclosure of protected health information is a first step, but it’s important that companies audit whether their employees are complying with these policies and discipline employees who don’t comply so that a message is sent to everyone in the company that noncompliance will not be tolerated,” said Saikali.

He also recommended that companies:

  • Continuously evaluate potential new security risks associated with technology upgrades or changes. “An assumption should not be made that simply because the software is an upgrade the security risks remain the same,” he said.
  • Be cognizant of risks such as photocopier hard drives. “Maybe this means ensuring that the hard drives are wiped clean or written over before they are returned to the leasing agent.”
  • Encrypt sensitive information where feasible, and to the extent it isn’t feasible, build in other technical safeguards to protect the information.
  • Require and audit annual training. “Do your employees know how seemingly simple and uneventful conduct like photocopying a medical record, leaving a laptop unaccompanied, clicking on a link in an e-mail, or doing a favor to a friend who needs protected health information about a loved one can lead to very significant unintended consequences for your company?”

Roy Maurer is an online editor/manager for SHRM.

Follow him @SHRMRoy

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect