Abstract
This analysis uses data from the Department of Health and Human Services to examine what type of hospitals face a higher risk of data breaches.
As the adoption of electronic record and health information technology rapidly expands, hospitals and other health providers increasingly suffer from data breaches. A data breach is an impermissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or human error. Policy makers, hospital administrators, and the public are highly interested in reducing the incidence of data breaches. In this retrospective data analysis, we use data from the Department of Health and Human Services (HHS) to examine what type of hospitals face a higher risk of data breaches.
Methods
Under the Health Information Technology for Economic and Clinical Health Act of 2009, all heath care providers covered by the Health Insurance Portability and Accountability Act must notify HHS of any breach of protected health information affecting 500 or more individuals within 60 days from the discovery of the breach. The Department of Health and Human Services publishes the submitted data breach incidents on its website, with the earliest submission date as October 21, 2009. We were able to link 141 acute care hospitals to their 2014 fiscal year Medicare cost reports filed with the Centers for Medicare and Medicaid Services (CMS). The unlinked hospitals include long-term care hospitals, Veterans Affairs and military hospitals, hospital systems, and hospitals unidentifiable in the CMS data set. We applied multivariable and regression analyses to compare these 141 hospitals with other acute care hospitals to understand what type of hospitals face a higher risk of breaches. Statistical analysis was performed with SAS 9.4 (SAS Institute Inc) and STATA 14 (StataCorp LLC). For statistical analysis, t tests were used, and P < .05 was considered significant.
Results
Between October 21, 2009, and December 31, 2016, 1798 data breaches were reported. Among them, 1225 breaches were reported by health care providers and the remaining by business associates, health plans, or health care clearing houses. There were 257 breaches reported by 216 hospitals in the data, with median (interquartile range [IQR]) 1847 (872-4859) affected individuals per breach; 33 hospitals that had been breached at least twice and many of which are large major teaching hospitals (Table 1). Table 2 lists hospitals with more than 20 000 total affected individuals. For the 141 acute care victim hospitals linked to their 2014 CMS cost reports, the median (IQR) number of beds was 262 (137-461) and 52 (37%) were major teaching hospitals. In contrast, among 2852 acute care hospitals not identified as having breaching incidents, the median (IQR) number of hospital beds was 134 (64-254), and 265 (9%) were major teaching hospitals. Hospital size and major teaching status were positively associated with the risk of data breaches (P < .001).
Table 1. Hospitals Breached More Than Once Between October 21, 2009, and December 25, 2016.
| Hospital Name | State | Frequency |
|---|---|---|
| Montefiore Medical Center | NY | 4 |
| University of Rochester Medical Center & Affiliates | NY | 4 |
| Brigham and Women's Hospital | MA | 3 |
| Cook County Health & Hospitals System | IL | 3 |
| Mount Sinai Medical Center | FL | 3 |
| St Vincent Hospital and Healthcare, Inc | IN | 3 |
| Advocate Health and Hospitals Corporation | IL | 2 |
| Aventura Hospital and Medical Center | FL | 2 |
| Beth Israel Deaconess Medical Center | MA | 2 |
| Children's Medical Center of Dallas | TX | 2 |
| Children's National Medical Center | DC | 2 |
| Florida Hospital | FL | 2 |
| Georgetown University Hospital | DC | 2 |
| Henry Ford Hospital | MI | 2 |
| Holy Cross Hospital | FL | 2 |
| Hospital for Special Surgery | NY | 2 |
| Jersey City Medical Center | NJ | 2 |
| Jewish Hospital | KY | 2 |
| Kern Medical Center | CA | 2 |
| Long Beach Memorial Medical Center | CA | 2 |
| Lucile Packard Children's Hospital | CA | 2 |
| Martin Army Community Hospital | GA | 2 |
| Massachusetts General Hospital | MA | 2 |
| Mercy Medical Center Redding | CA | 2 |
| Mount Sinai Medical Center | NY | 2 |
| NYU Hospitals Center | NY | 2 |
| Phoebe Putney Memorial Hospital | GA | 2 |
| Rady Children's Hospital - San Diego | CA | 2 |
| Riverside County Regional Medical Center | CA | 2 |
| St Elizabeth's Medical Center | MA | 2 |
| Thomas Jefferson University Hospitals, Inc | PA | 2 |
| Titus Regional Medical Center | TX | 2 |
| UC Davis Medical Center | CA | 2 |
Table 2. Breached Hospitals With More Than 20 000 Total Affected Individuals.
| Hospital Name | State | Total Affected Individuals |
|---|---|---|
| Advocate Health and Hospitals Corporationa | IL | 4 031 767 |
| AHMC Healthcare Inc and affiliated Hospitals | CA | 729 000 |
| Jacobi Medical Center | NY | 90 060 |
| Providence Hospital | MI | 83 945 |
| St Vincent Hospital and Healthcare, Inca | IN | 65 666 |
| Cincinnati Children’s Hospital Medical Center | OH | 60 998 |
| Montefiore Medical Centera | NY | 53 715 |
| Kaiser Foundation Hospital- Orange County | CA | 49 000 |
| Methodist Dallas Medical Center | TX | 44 000 |
| Seton Family of Hospitals | TX | 39 000 |
| Jersey City Medical Centera | NJ | 37 847 |
| Santa Rosa Memorial Hospital | CA | 33 702 |
| Cook County Health & Hospitals Systema | IL | 30 148 |
| Integrity Transitional Hospital | TX | 29 514 |
| St Luke's Cornwall Hospital | NY | 29 156 |
| Gibson General Hospital | IN | 28 893 |
| Blount Memorial Hospital, Inc | TN | 27 799 |
| Jamaica Hospital Medical Center | NY | 26 162 |
| Our Lady of Peace Hospital | KY | 24 600 |
| Thomas Jefferson University Hospitals, Inca | PA | 24 150 |
| Children's National Medical Centera | DC | 22 107 |
| Reid Hospital & Health Care Services | IN | 22 001 |
| Florida Hospitala | FL | 21 484 |
| Rady Children's Hospital - San Diegoa | CA | 20 428 |
Hospitals that experienced at least 1 breach occurring between October 21, 2009, and December 31, 2016.
Discussion
A fundamental trade-off exists between data security and data access. Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes “zero breach” an extremely challenging objective. The evolving landscape of breach activity, detection, management, and response requires hospitals to continuously evaluate their risks and apply best data security practices. Despite the call for good data hygiene, little evidence exists of the effectiveness of specific practices in hospitals. Identification of evidence-based effective data security practices should be made a research priority.
This study has 3 important limitations. First, data breaches affecting fewer than 500 individuals were not examined. Second, since each victim hospital was matched to CMS cost report based on the name and state, the matching might be incomplete or inaccurate for some hospitals. Finally, our analysis is limited to the hospital industry. Future studies that examine the characteristics of other types of health care entities that experienced data breaches are warranted.
References
- 1.Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471-1473. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 2.US Department of Health and Human Services Breach Notification Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification. Accessed December 28, 2016.
- 3.Ponemon Institute Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1. Accessed December 28, 2016.
- 4.Bai G, Anderson GF. A more detailed understanding of factors associated with hospital profitability. Health Aff (Millwood). 2016;35(5):889-897. [DOI] [PubMed] [Google Scholar]
- 5.The US Department of Health and Human Services Breaches affecting 500 or more individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed December 28, 2016.
- 6.Blumenthal D, McGraw D. Keeping personal health information safe: the importance of good data hygiene. JAMA. 2015;313(14):1424-1424. [DOI] [PubMed] [Google Scholar]