The numbers below each year refer to cumulative number of records breached up to that year. Business associate refers to entities that do not provide or reimburse health care but are given access to Health Insurance Portability and Accountability Act (HIPAA)–protected data, generally to support physicians or health plans. Broadly speaking, a health care provider is a person or organization who furnishes, bills, or is paid for health care service; a health plan provides, or pays the cost of, medical care (US Code of Federal Regulations 160.103). The 4 breaches of a health care clearing house were omitted for clarity.
As breaches were assigned to multiple categories, totals in panels A and B exceed those reported in Figure 1. The numbers of cumulative records placed below each year refer to cumulative number of records breached up to that year. All categories were as reported in the federal database. Plots omit “unknown,” “other,” and “other portable electronic device” categories, determined a priori to be too open-ended to imply particular action. IT indicates information technology.
Customize your JAMA Network experience by selecting one or more topics from the list below.
McCoy TH, Perlis RH. Temporal Trends and Characteristics of Reportable Health Data Breaches, 2010-2017. JAMA. 2018;320(12):1282–1284. doi:10.1001/jama.2018.9222
Protections for private patient data and mandatory public reporting of breaches of data confidentiality were established by the 1999 Health Insurance Portability and Accountability Act (HIPAA) and 2009 Health Information Technology for Economic and Clinical Health Act. Between 2010 and 2013, data breaches involving at least 29.1 million patient records were reported. The ongoing transition to electronic health records may increase such breaches.1,2 We used public data to examine the nature and extent of breaches from 2010 through 2017.
We downloaded all breaches posted to the US Health and Human Services Office for Civil Rights breach database portal between January 1, 2010, and December 31, 2017, and analyzed secular trends in number of breaches and number of records affected in terms of 3 categories reported in the federal database: business associate, health plan, and health care provider (terms used in the federal database); we also examined breached media and type of breach, which are defined in the figure legends.3 An additional category, health care clearing house, had only 4 breaches and was omitted for clarity. When a breach was reported as involving multiple media or types, we attributed the full breach to each category. As such, if a single breach of 500 records involved email, laptop, and network server, then each of these 3 categories was assigned a breach of 500 records. This allowed correct reporting of breaches within each medium and breach type category but precluded summation over categories (covered entities are not multiply assigned).
We included 2149 breaches comprising a total of 176.4 million records. Individual breaches ranged in size from 500 to 78.8 million records. The distribution of records breached was positively skewed with a median breach affecting 2300 records (interquartile range, 995-7800) and a mean of 84 456. With the exception of 2015, the number of breach reports increased each year, from 199 in 2010 to 344 in 2017.
The most common entity breached was a health care provider, with 1503 breaches (70%) compromising a total of 37.1 million records (21%). The 278 breaches (13%) of health plans accounted for the largest share of breached records, 110.4 million (63%). Figure 1 illustrates an increasing number of breaches associated with health care providers over time.
The most common information media breached between 2010 and 2017 was paper or film, with 510 breaches (24%) comprising a total of 3.4 million records (2%; Figure 2A). However, the 410 breaches (19%) of information from network servers accounted for the largest share of breached records, 139.9 million (79%). The most commonly breached media locations shifted from laptop and paper or films in 2010 to network server and email in 2017. These shifts were paralleled by increases in hacking or information technology (IT) incidents and unauthorized access (Figure 2B), which both surpassed theft by 2016. There were 253 of 2106 breaches reported as involving multiple media (12.0%) and 83 of 2103 (3.9%) reported as involving multiple types.
Despite the ethical and legal obligation to protect patient privacy and efforts to establish best practices for health care information security, breach rates have increased and health care providers accounted for a large share of those breaches.2,4,5 Health plans, however, accounted for a larger share of total records breached. The greatest numbers of records breached were accessed via network-connected information. As the type of data breached shifted toward electronic records and away from paper records, the nature of the breach likewise shifted toward electronic means, such as hacking.
The study has 2 key limitations. First, these results describe secular trends but do not allow for inferences about the causes of those trends. Second, some breaches were reported in multiple media and breach type categories, so the relative importance of each category to the breach cannot be determined.
Although networked digital health records have the potential to improve clinical care and facilitate learning health systems, they also have the potential for harm to vast numbers of patients at once if data security is not improved.
Accepted for Publication: June 11, 2018.
Corresponding Author: Thomas H. McCoy Jr, MD, Center for Quantitative Health, Simches Research Bldg, Sixth Floor, 185 Cambridge St, Boston, MA 02114 (email@example.com).
Author Contributions: Drs McCoy and Perlis had full access to all of the data in the study and take responsibility for the integrity of the data and the accuracy of the data analysis.
Concept and design: McCoy.
Acquisition, analysis, or interpretation of data: All authors.
Drafting of the manuscript: All authors.
Critical revision of the manuscript for important intellectual content: All authors.
Statistical analysis: McCoy.
Obtained funding: All authors.
Administrative, technical, or material support: Perlis.
Conflict of Interest Disclosures: Both authors have completed and submitted the ICMJE Form for Disclosure of Potential Conflicts of Interest. Dr McCoy reported receiving unrelated grants from the Stanley Center at the Broad Institute, Brain and Behavior Research Foundation, and Telefonica Alpha. Dr Perlis reported receiving grants from the National Human Genome Research Institute, National Institute of Mental Health, and Telefonica Alpha; serving on the scientific advisory board for Perfect Health, Genomind, and Psy Therapeutics; and consulting to RID Ventures. No other disclosures were reported.
Funding/Support: The study investigators are funded by grant 1R01MH106577 from the National Institute of Mental Health.
Role of the Funder/Sponsor: The National Institute of Mental Health had no role in the design and conduct of the study; collection, management, analysis, and interpretation of the data; preparation, review, or approval of the manuscript; and decision to submit the manuscript for publication.