Data breach of protected health information (PHI) poses substantial financial, reputational, and clinical risk for health care entities and patients and is associated with public health challenges.1-3 Policymakers, health care entities, and the public are increasingly concerned about PHI security, but research has not examined the detailed causes of PHI breaches and the preventive actions adopted by health care entities after the breach.4 In this retrospective study, we aimed to fill these knowledge gaps.
Health care entities are legally required to notify the US Department of Health and Human Services of any data breaches of unsecured PHI.5 The Office for Civil Rights reviews and publishes on its website the PHI breaches that affect 500 or more individuals.6 On March 20, 2018, the US Department of Health and Human Services published detailed event descriptions for 1138 breach cases that occurred between October 21, 2009, and December 31, 2017. These cases affected the PHI of 164 million patients in total. The human subjects research policy of The Johns Hopkins Institutional Review Board determined that this study did not require approval; study design obviated the need for consent procedures.
Since 2011, the US Department of Health and Human Services has asked health care entities to self-categorize their breach as 1 of 6 types: hacking or information technology incident, improper disposal (electronic media or paper records not appropriately cleared or shredded), loss, theft, unauthorized access or disclosure (breaches from misdirected mailing or other communication), and unknown or other. However, whether the categorization has been consistently applied across health care entities is unclear. Using detailed event descriptions, we confirmed the categorization of 883 cases (77.6%) of 1138 PHI breaches and recategorized 255 cases (22.4%) that were originally either placed in the unknown or other category or misclassified by the reporting entity. We then summarized the detailed causes for the 5 categories and differentiated them as internal (eg, theft committed by an employee) or external (eg, lost in transportation).
In addition, we reported the locations of the breached PHI (paper records, mobile devices, and network servers or cloud) and separated all cases related to communication by medium (mail or email). We also summarized common corrective actions that health care entities have taken to prevent future incidents.
As shown in the Table, theft by outsiders or unknown parties (370 [32.5%]), disclosing PHI through mailing mistakes by employees (119 [10.5%]), and theft by former or current employees (102 [9.0%]) were the 3 major causes of PHI breaches. These causes were followed by employees taking PHI home or forwarding it to personal accounts or devices (74 [6.5%]) and hacking or information technology incidents committed by undisclosed parties (70 [6.2%]). Overall, 603 PHI breaches (53.0%) were internal, attributable to the health care entities’ own mistakes or neglect.
Breaches were located in mobile devices (524 [46.1%]), paper records (326 [28.7%]), and network servers (333 [29.3%]), with multiple locations involved occasionally. Common corrective actions included encrypting and restricting the use of mobile devices when the breached PHI had been stored in those devices; digitizing PHI and enhancing the safety of the storage facility in which paper records were stored; and monitoring or auditing access to and strengthening firewalls for network servers or the cloud.
Among the 232 breaches (20.4%) that occurred during PHI communication, 152 (65.5%) were mailing mistakes and 80 (34.5%) were emailing mistakes. After the breach, before mailing PHI, entities typically adopted mandatory verification of the recipient and the information exposed through envelope windows. Before emailing PHI, entities adopted mandatory verification of the recipient, the copy protocol (bcc vs cc), and the encryption of content.
Our analysis of 1138 PHI breaches from 2009 to 2017 that affected 164 million patients indicates that more than half of the cases were not from external causes but were attributable to internal mistakes or neglect. Different storage locations and communication channels have different PHI breach risks. Adopting common corrective actions has the potential to mitigate these risks. These results might not be generalizable to breaches that affect fewer than 500 patients. Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security.
Accepted for Publication: August 9, 2018.
Corresponding Author: Ge Bai, PhD, CPA, The Johns Hopkins Carey Business School, Bernstein-Offit Bldg 353, 1717 Massachusetts Ave NW, Washington, DC 20036 (gbai@jhu.edu).
Published Online: November 19, 2018. doi:10.1001/jamainternmed.2018.5295
Author Contributions Dr Jiang had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.
Concept and design: Both authors.
Acquisition, analysis, or interpretation of data: Both authors.
Drafting of the manuscript: Both authors.
Critical revision of the manuscript for important intellectual content: Both authors.
Statistical analysis: Jiang.
Administrative, technical, or material support: Both authors.
Supervision: Both authors.
Conflict of Interest Disclosures: None reported.
Additional Contributions: We thank Luyao Ma, MS, for her research assistance, and Gerard F. Anderson, PhD, and Michele Trieb, BA, for their valuable comments. These individuals were not compensated for their contributions.