[Skip to Content]
[Skip to Content Landing]
Table 1.  
Hospitals Breached More Than Once Between October 21, 2009, and December 25, 2016
Hospitals Breached More Than Once Between October 21, 2009, and December 25, 2016
Table 2.  
Breached Hospitals With More Than 20 000 Total Affected Individuals
Breached Hospitals With More Than 20 000 Total Affected Individuals
1.
Liu  V, Musen  MA, Chou  T.  Data breaches of protected health information in the United States.  JAMA. 2015;313(14):1471-1473.PubMedGoogle ScholarCrossref
2.
US Department of Health and Human Services. Breach Notification Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification. Accessed December 28, 2016.
3.
Ponemon Institute. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1. Accessed December 28, 2016.
4.
Bai  G, Anderson  GF.  A more detailed understanding of factors associated with hospital profitability.  Health Aff (Millwood). 2016;35(5):889-897.PubMedGoogle ScholarCrossref
5.
The US Department of Health and Human Services. Breaches affecting 500 or more individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed December 28, 2016.
6.
Blumenthal  D, McGraw  D.  Keeping personal health information safe: the importance of good data hygiene.  JAMA. 2015;313(14):1424-1424.PubMedGoogle ScholarCrossref
Research Letter
June 2017

Hospital Risk of Data Breaches

Author Affiliations
  • 1The Johns Hopkins Carey Business School, Washington, DC
  • 2Eli Broad College of Business, Michigan State University, East Lansing
  • 3Miller College of Business, Ball State University, Muncie, Indiana
JAMA Intern Med. 2017;177(6):878-880. doi:10.1001/jamainternmed.2017.0336

As the adoption of electronic record and health information technology rapidly expands, hospitals and other health providers increasingly suffer from data breaches.1 A data breach is an impermissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or human error.2,3 Policy makers, hospital administrators, and the public are highly interested in reducing the incidence of data breaches. In this retrospective data analysis, we use data from the Department of Health and Human Services (HHS) to examine what type of hospitals face a higher risk of data breaches.

Methods

Under the Health Information Technology for Economic and Clinical Health Act of 2009, all heath care providers covered by the Health Insurance Portability and Accountability Act must notify HHS of any breach of protected health information affecting 500 or more individuals within 60 days from the discovery of the breach. The Department of Health and Human Services publishes the submitted data breach incidents on its website, with the earliest submission date as October 21, 2009. We were able to link 141 acute care hospitals to their 2014 fiscal year Medicare cost reports filed with the Centers for Medicare and Medicaid Services (CMS). The unlinked hospitals include long-term care hospitals, Veterans Affairs and military hospitals, hospital systems, and hospitals unidentifiable in the CMS data set. We applied multivariable and regression analyses to compare these 141 hospitals with other acute care hospitals to understand what type of hospitals face a higher risk of breaches.4 Statistical analysis was performed with SAS 9.4 (SAS Institute Inc) and STATA 14 (StataCorp LLC). For statistical analysis, t tests were used, and P < .05 was considered significant.

Results

Between October 21, 2009, and December 31, 2016, 1798 data breaches were reported.5 Among them, 1225 breaches were reported by health care providers and the remaining by business associates, health plans, or health care clearing houses. There were 257 breaches reported by 216 hospitals in the data, with median (interquartile range [IQR]) 1847 (872-4859) affected individuals per breach; 33 hospitals that had been breached at least twice and many of which are large major teaching hospitals (Table 1). Table 2 lists hospitals with more than 20 000 total affected individuals. For the 141 acute care victim hospitals linked to their 2014 CMS cost reports, the median (IQR) number of beds was 262 (137-461) and 52 (37%) were major teaching hospitals. In contrast, among 2852 acute care hospitals not identified as having breaching incidents, the median (IQR) number of hospital beds was 134 (64-254), and 265 (9%) were major teaching hospitals. Hospital size and major teaching status were positively associated with the risk of data breaches (P < .001).

Discussion

A fundamental trade-off exists between data security and data access. Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes “zero breach” an extremely challenging objective. The evolving landscape of breach activity, detection, management, and response requires hospitals to continuously evaluate their risks and apply best data security practices. Despite the call for good data hygiene,6 little evidence exists of the effectiveness of specific practices in hospitals. Identification of evidence-based effective data security practices should be made a research priority.

This study has 3 important limitations. First, data breaches affecting fewer than 500 individuals were not examined. Second, since each victim hospital was matched to CMS cost report based on the name and state, the matching might be incomplete or inaccurate for some hospitals. Finally, our analysis is limited to the hospital industry. Future studies that examine the characteristics of other types of health care entities that experienced data breaches are warranted.

Back to top
Article Information

Corresponding Author: Ge Bai, PhD, CPA, The Johns Hopkins Carey Business School, Bernstein-Offit Bldg 353, 1717 Massachusetts Ave NW, Washington, DC 20036 (gbai@jhu.edu).

Published Online: April 3, 2017. doi:10.1001/jamainternmed.2017.0336

Author Contributions: Dr Bai had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.

Study concept and design: All authors.

Acquisition, analysis, or interpretation of data: Bai, Jiang.

Drafting of the manuscript: All authors.

Critical revision of the manuscript for important intellectual content: All authors.

Statistical analysis: Bai, Jiang.

Administrative, technical, or material support: All authors.

Supervision: Bai, Jiang.

Conflict of Interest Disclosures: None reported.

Additional Contributions:We acknowledge the valuable comments from Gerard F. Anderson, PhD, and technical support from Jianbo Liu, PhD; they did not receive compensation.

References
1.
Liu  V, Musen  MA, Chou  T.  Data breaches of protected health information in the United States.  JAMA. 2015;313(14):1471-1473.PubMedGoogle ScholarCrossref
2.
US Department of Health and Human Services. Breach Notification Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification. Accessed December 28, 2016.
3.
Ponemon Institute. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1. Accessed December 28, 2016.
4.
Bai  G, Anderson  GF.  A more detailed understanding of factors associated with hospital profitability.  Health Aff (Millwood). 2016;35(5):889-897.PubMedGoogle ScholarCrossref
5.
The US Department of Health and Human Services. Breaches affecting 500 or more individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed December 28, 2016.
6.
Blumenthal  D, McGraw  D.  Keeping personal health information safe: the importance of good data hygiene.  JAMA. 2015;313(14):1424-1424.PubMedGoogle ScholarCrossref
×