Health Information Exchange Featured Article

July 19, 2012

Healthcare Data Breaches Still Rising

I love all the new mobile apps out there. Tracking my mileage on my runs. Checking my blood pressure and pulse, afterward. Comparing how much, and how well, I slept to the night before. And, oh yes, even Weight Watchers has one where you can count the calories of everything you eat.

But there’s a downside, and it’s big. 

The healthcare industry has the highest percentage of data breaches of any sector, according to a report by Symantec. Healthcare also had the highest number of reported breaches, at 43 percent, Patricia Resende reports.

And the costs continue to rise, with each breach costing organizations $5.5 million, and each compromised record, $194, the Symantec study reports. And even though the costs have dropped slightly from several years ago, according to a Ponemon study, healthcare is the one area where they have not. Physicians’ offices and small clinics say they have lost more than 54,000 patient records due to breaches since 2009. 

And they’ve occurred all over the country, from Utah, where the files of almost 300,000 Medicaid patients were breached in March, to Boston, where the laptop of a Boston Children’s Hospital employee at a South American conference containing more than 2000 patient records was stolen.  

According to Bob Belfort, partner in the healthcare practice at Manatt, Phelps & Phillips, which works with states and providers on health IT and related public policy issues, the proliferation of mobile devices, along with the encryption standards required under HIPAA, has created “something of a data breach nightmare for hospital and public health department CIOs.”

Interviewed by Tom Sullivan of Government Health IT, Belfort, noted that “a fair number of them involve portable media devices,” including lost laptops, lost CDs, lost smartphones. Add to that the fact that, under HIPAA, encryption is not “a hard and fast requirement,” but something that providers assess their ability to comply with “and that has created some opportunity in organizations for people to take the obligation to encrypt on mobile devices maybe less seriously,” and yes, indeed, it’s a nightmare, or maybe even a disaster.

Belfort added that it continued to amaze him to see reported breaches involving lost laptops, CDs or thumb drives “when encrypting the data on those devices is not difficult and encrypting it insulates you from having to do breach notification.”

The good news, if there is any, is that it’s not always clear whether information has been accessed, according to Belfort. Just because a laptop was stolen, or a vulnerability discovered, it’s not always a given that “the vulnerability was exploited or data might be lost in some way but the circumstances suggest it wasn’t accessed by anyone.”

The interesting, or maybe valuable, point is that most healthcare organizations err on the side of safety and and designate incidents as breaches even if there was a reasonable doubt that it didn’t really meet the standards of what constitutes a true breach. “There is a fear of being penalized for not doing that notification,” Belfort told Sullivan.

Incessant notification, however, can be self-defeating, because it may cause “notification fatigue” with consumers, who may just start to think, no big deal, this has happened before, Belfort told Sullivan. But hospitals have to walk a delicate tightrope, between unduly scaring patients, or having them tune out when maybe they should be paying attention to the fact that a larger proportion of patients at one hospital die after surgery than at another.

Edited by Braden Becker