Table. Characteristics of Data Breaches of Protected Health Information Affecting at Least 500 Individuals Reported by Entities Covered by the: Health Insurance Portability and Accountability Act.
| Overall | Year of Data Breach |
P Valuea |
||||
|---|---|---|---|---|---|---|
| 2010 | 2011 | 2012 | 2013 | |||
| Total No. of data breaches reported |
949 | 214 | 236 | 234 | 265 | .07 |
| Total No. of records affected, in millions |
29.0 | 5.1 | 11.6 | 3.4 | 9.0 | .88 |
| No. of data breaches affecting at least 1 million records |
6 | 1 | 3 | 0 | 2 | .37 |
| Data breach by media type, No. (%) [95% CI] |
||||||
| Portable electronic device or laptop |
310 (32.7) [29.7-35.7] | 77 (36.0) [29.8-42.7] | 72 (30.5) [24.9-36.7] | 78 (33.3) [27.5-40.0] | 83 (31.3) [26.0-37.2] | |
| Desktop, email, or EMR |
148 (15.6) [13.4-18.0] | 32 (15.0) [10.7-20.4] | 25 (10.6) [7.2-15.2] | 43 (18.4) [13.9-23.9] | 48 (18.1) [13.9-23.3] | .09 |
| Paper | 212 (22.3) [19.8-25.1] | 50 (23.4) [18.1-30.0] | 55 (23.3) [18.3-29.2] | 52 (22.2) [17.3-28.0] | 55 (20.8) [16.3-26.1] | |
| Network server | 101 (10.6) [8.8-12.8] | 16 (7.5) [4.6-11.9] | 25 (10.6) [7.2-15.2] | 29 (12.4) [8.7-17.3] | 31 (11.7) [8.3-16.2] | |
| Other | 178 (18.8) [16.4-21.4] | 39 (18.2) [13.6-24.0] | 59 (25.0) [19.9-31.0] | 32 (13.7) [9.8-18.7] | 48 (18.1) [13.9-23.3] | |
| Data breach category, No. (%) [95% CI] |
||||||
| Theft | 552 (58.2) [55.0-61.3] | 139 (65.0) [58.3-71.1] | 142 (60.2) [53.7-66.3] | 141 (60.3) [53.8-66.4] | 130 (49.1) [43.0-55.1] | |
| Loss or improper disposal |
105 (11.1) [9.2-13.2] | 24 (11.2) [7.6-16.2] | 21 (8.9) [5.9-13.3] | 28 (12.0) [8.4-16.8] | 32 (12.1) [8.6-16.6] | |
| Unauthorized access or disclosure |
140 (14.8) [12.6-17.2] | 16 (7.5) [4.6-11.9] | 39 (16.5) [12.3-21.9] | 36 (15.4) [11.3-20.6] | 49 (18.5) [14.2-23.7] | .003 |
| Hacking or IT incident |
67 (7.1) [5.6-8.9] | 10 (4.7) [2.5-8.5] | 20 (8.5) [5.5-12.8] | 14 (6.0) [3.6-9.9] | 23 (8.7) [5.8-12.8] | |
| Other | 85 (9.0) [7.3-11.0] | 25 (11.7) [8.0-16.8] | 14 (5.9) [3.5-9.8] | 15 (6.4) [3.9-10.4] | 31 (11.7) [8.3-16.2] | |
| Data breach involved external vendor, No. (%) [95% CI] |
273 (28.8) [25.9-31.7] | 54 (25.2) [19.8-31.5] | 76 (32.2) [26.5-38.5] | 70 (29.9) [24.4-36.1] | 73 (27.6) [22.5-33.3] | .39 |
Abbreviations: EMR, electronic medical record; IT, information technology.
a
Calculated using linear regression or χ2 tests.