29.1 Million Electronic Health Records Breached


Peter Crump
Staff Writer

A recent report by the Journal of the American Medical Association (JAMA) found that between 2010 and 2013, 29.1 million medical records have been exposed to data breaches in some way. Not only that, but these breaches are on the rise. Electronic health records are an excellent source of data for research in addition to improving the efficiency and care of individuals, but is it worth it if the price is putting one’s personal medical information at risk?

The team of JAMA researchers, led by Dr. Vincent Lui, conducted the study by looking at medical records maintained by the U.S. Department of Health and Human Services and covered under the Health Insurance Portability and Accountability Act (HIPAA), which regulates the management of health information. Specifically, they looked at instances that affected 500 individuals or more. According to the Health Information Technology for Economic and Clinical Health Act of 2009, breaches involving over 500 records must be reported to include “the name and state of the entity breached, the number of records affected, the type and source of the breach, and the involvement of any external vendor using protected health information,” according to the JAMA report. Breaches affecting over 500 individuals accounted for 82.1 percent of all reports.

The researchers found 949 separate breaches affecting a staggering 29.1 million records in the four-year time span. Six of the breaches involved over 1 million records, and breaches were reported in every state. Five states—California, Texas, Florida, New York, and Illinois—accounted for 34.1 percent of all breaches. Furthermore, JAMA categorized the data breaches based on the media type and the method used. Across the four years, the majority of the data breaches occurred through theft of portable electronics and laptops, as opposed to hacking servers or loss and improper disposal of electronics, for example.

“Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians, and health care systems,” Liu said, according to Top Tech News.

What does this all mean for the state of electronic health records? In a JAMA editorial piece in light of the report’s findings, Dr. David Blumenthal prescribes what he calls “good data hygiene.”

Blumenthal notes that of the 29.1 million records compromised, many are duplicates, and some people may have had their medical information breached multiple times, bringing down the overall number. However, even taking this into account, the number of breaches is still in the millions, and Blumenthal explains that this could have an effect on how patients report their medical information.

“Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States,” he writes.

Blumenthal continues that part of the responsibility lies in private custodians of health care, such as clinics, health care organizations, and insurers. Over 80 percent of breaches result simply from “correctable problems,” neglecting basic precautions like encrypting data and prohibiting the storage of personal information on employee’s personal devices.

He also notes that policy makers are at fault, specifically pointing to the now outdated HIPAA regulations, which have proven inadequate in protecting people’s health information. HIPAA was enacted before the Internet and before current methods of electronic transmission were developed. It also does not regulate the data collecting of large digital companies like Google, Facebook, or Apple.

At the annual meeting of the Healthcare Information and Management Systems Society, Dr. Marion Jenkins also spoke of the ineffectiveness of HIPAA. He noted that HIPAA does not regulate password length or how often they must be changed, log-off intervals, or the type of encryption required for Wi-Fi. The Act has no mention at all of a “smartphone” or “laptop,” according to MedPage Today.

Furthermore, Jenkins spoke of the attractiveness of Electronic Health Records (EHR) to potential hackers and it’s future implications.

“Now that credit card companies can shut down cards quickly once they are stolen, credit card numbers aren’t worth very much to hackers,” Jenkins said. “Health records are five to 10 times more valuable [because] they can use them to do unauthorized or fraudulent Medicare or Medicaid billing.”