Recent Healthcare Information Breaches and their Lessons

Abstract

IMPORTANCE: Modern health facilities are continually reporting data breaches, which raises the need to understand underlying factors and design mitigation strategies accordingly.  

OBJECTIVE: The objective of this research is to analyze real healthcare data breaches, identify underlying factors, and report the lessons that may help in preventing the future breaches.

DESIGN: This study is based on exploratory analysis of electronic health record breaches reported to the U.S. Department of Health and Human Services, Office for Civil Rights during the past twenty-four months (December 2018 - December 2020).

DATA SOURCES: This study uses the data of breaches reported within the last twenty-four months, and currently under investigation by the Office for Civil Rights and provided, obtained from the breach portal of the U.S. Department of Health and Human Services, Office for Civil Rights. These breaches affected more than 42 million individuals.

METHODS: We analyze 698 breach cases affecting more than 42 million individuals to identify underlying attack patterns, trends, outliers, and unexpected results, and major factors leading to these breaches in recently reported electronic health record breach cases. 

RESULTS: The frequency of data breaches reported during the past twenty-four months shows an increasing trend; their overall impact size is consistent, with a few exceptions. The most significant data breaches involved business associates, healthcare providers, health plans, and healthcare clearinghouses, with healthcare providers and business associates impacting about 83% of the affected individuals' privacy. However, most breaches occurred at smaller entities. Hacking of emails and network servers are the most common breach types, followed by unauthorized access, theft, improper disposal of records and devices, and loss. 

CONCLUSION: The nature and size of the incidents suggest paying particular attention to human factors, small-sized healthcare entities, business associates, and continuous revision of related security standards and frameworks.