- Breaches of protected health information can seriously harm an organization's brand and finances, but little is known about how breaches occur and the steps organizations take to prevent a recurrence, according to a research letter in JAMA Internal Medicine.
- The researchers analyzed 1,138 breach cases that occurred between Oct. 21, 2009, and Dec. 31, 2017. The cases, reported to the HHS Office for Civil Rights, affected the PHI of 164 million Americans.
- Based on detailed event descriptions, 77.6% of the cases were correctly classified, while 22.4% were listed as "unknown" or placed in an incorrect category by the reporting entity.
Healthcare organizations are required to notify OCR of breaches affecting 500 or more people, and to classify those breaches as one of six types: hacking, improper disposal, loss, theft, unauthorized access or disclosure and unknown.
"Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security," writes John Jiang of Michigan State University's Broad College of Business and Ge Bai of Johns Hopkins' Carey Business School.
The No. 1 cause of data breaches was theft by outsiders or unknown parties, making up about one-third (32.5%) of the 1,138 cases. Rounding out the top three causes were employee mailing mistakes (10.5%) and theft by former or current employees (9%). More than half (53%) of all PHI breaches originated inside the organization.
The researchers also looked at the location of the breaches. Mobile devices factored in 46.1% of cases, paper records in 28.7% and network servers in 29.3%.
Corrective actions included encrypting devices and restricting use when they stored PHI data, strengthening network firewalls and monitoring access, among other tactics. Organizations also tightened mail and email security with mandatory verification of recipient, copy protocol and encrypting content, according to the letter.
"Today, the reality of breaches means you need to be assuming a breach is in your environment at all stages," Vincent Weafer, chief operating officer and CTO of TriagingX, told Healthcare Dive in an interview last year. He recommends using skilled cyberthreat hunters to identify vulnerabilities and prevent breaches before they occur.
Anthem found out the hard way just how costly health data breaches can be. Last month, the health insurer agreed to pay OCR $16 million to settle HIPAA violations resulting from the breach of 79 million members' electronic PHI during a series of targeted cyberattacks in 2015. The settlement, the largest-ever HIPAA fine, follows a separate $115 million settlement in August to cover four years of credit monitoring, claims, costs and fees associated with the affected individuals.