Temporal Trends and Characteristics of Reportable Health Data Breaches, 2010-2017 | Law and Medicine | JAMA | JAMA Network
[Skip to Navigation]
Access to paid content on this site is currently suspended due to excessive activity being detected from your IP address Please contact the publisher to request reinstatement.
Liu  V, Musen  MA, Chou  T.  Data breaches of protected health information in the United States.  JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252PubMedGoogle ScholarCrossref
Blumenthal  D, McGraw  D.  Keeping personal health information safe: the importance of good data hygiene.  JAMA. 2015;313(14):1424. doi:10.1001/jama.2015.2746PubMedGoogle ScholarCrossref
US Department of Health and Human Services Office for Civil Rights. Breach portal: notice to the secretary of HHS breach of unsecured protected health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed January 4, 2018.
Blanke  SJ, McGrady  E.  When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: a cybersecurity risk assessment checklist.  J Healthc Risk Manag. 2016;36(1):14-24. doi:10.1002/jhrm.21230PubMedGoogle ScholarCrossref
Institute of Medicine.  Health Data in the Information Age: Use, Disclosure, and Privacy. Washington, DC: National Academies Press; 1994:chap 4.
Research Letter
September 25, 2018

Temporal Trends and Characteristics of Reportable Health Data Breaches, 2010-2017

Author Affiliations
  • 1Center for Quantitative Health, Massachusetts General Hospital, Boston
  • 2Associate Editor, JAMA Network Open
JAMA. 2018;320(12):1282-1284. doi:10.1001/jama.2018.9222

Protections for private patient data and mandatory public reporting of breaches of data confidentiality were established by the 1999 Health Insurance Portability and Accountability Act (HIPAA) and 2009 Health Information Technology for Economic and Clinical Health Act. Between 2010 and 2013, data breaches involving at least 29.1 million patient records were reported. The ongoing transition to electronic health records may increase such breaches.1,2 We used public data to examine the nature and extent of breaches from 2010 through 2017.

We downloaded all breaches posted to the US Health and Human Services Office for Civil Rights breach database portal between January 1, 2010, and December 31, 2017, and analyzed secular trends in number of breaches and number of records affected in terms of 3 categories reported in the federal database: business associate, health plan, and health care provider (terms used in the federal database); we also examined breached media and type of breach, which are defined in the figure legends.3 An additional category, health care clearing house, had only 4 breaches and was omitted for clarity. When a breach was reported as involving multiple media or types, we attributed the full breach to each category. As such, if a single breach of 500 records involved email, laptop, and network server, then each of these 3 categories was assigned a breach of 500 records. This allowed correct reporting of breaches within each medium and breach type category but precluded summation over categories (covered entities are not multiply assigned).