Abstract
This study evaluates the internal and external sources of and preventive steps for data breaches in health care organizations from 2009 to 2017.
Data breach of protected health information (PHI) poses substantial financial, reputational, and clinical risk for health care entities and patients and is associated with public health challenges.1,2,3 Policymakers, health care entities, and the public are increasingly concerned about PHI security, but research has not examined the detailed causes of PHI breaches and the preventive actions adopted by health care entities after the breach.4 In this retrospective study, we aimed to fill these knowledge gaps.
Methods
Health care entities are legally required to notify the US Department of Health and Human Services of any data breaches of unsecured PHI.5 The Office for Civil Rights reviews and publishes on its website the PHI breaches that affect 500 or more individuals.6 On March 20, 2018, the US Department of Health and Human Services published detailed event descriptions for 1138 breach cases that occurred between October 21, 2009, and December 31, 2017. These cases affected the PHI of 164 million patients in total. The human subjects research policy of The Johns Hopkins Institutional Review Board determined that this study did not require approval; study design obviated the need for consent procedures.
Since 2011, the US Department of Health and Human Services has asked health care entities to self-categorize their breach as 1 of 6 types: hacking or information technology incident, improper disposal (electronic media or paper records not appropriately cleared or shredded), loss, theft, unauthorized access or disclosure (breaches from misdirected mailing or other communication), and unknown or other. However, whether the categorization has been consistently applied across health care entities is unclear. Using detailed event descriptions, we confirmed the categorization of 883 cases (77.6%) of 1138 PHI breaches and recategorized 255 cases (22.4%) that were originally either placed in the unknown or other category or misclassified by the reporting entity. We then summarized the detailed causes for the 5 categories and differentiated them as internal (eg, theft committed by an employee) or external (eg, lost in transportation).
In addition, we reported the locations of the breached PHI (paper records, mobile devices, and network servers or cloud) and separated all cases related to communication by medium (mail or email). We also summarized common corrective actions that health care entities have taken to prevent future incidents.
Results
As shown in the Table, theft by outsiders or unknown parties (370 [32.5%]), disclosing PHI through mailing mistakes by employees (119 [10.5%]), and theft by former or current employees (102 [9.0%]) were the 3 major causes of PHI breaches. These causes were followed by employees taking PHI home or forwarding it to personal accounts or devices (74 [6.5%]) and hacking or information technology incidents committed by undisclosed parties (70 [6.2%]). Overall, 603 PHI breaches (53.0%) were internal, attributable to the health care entities’ own mistakes or neglect.
Table. Protected Health Information Breach Causes.
| US Department of Health and Human Services Breach Category | Frequency (N = 1138), No. (%) | Patients Affected, Millions | Detailed Cause | No. (%) | |
|---|---|---|---|---|---|
| Internala | Externalb | ||||
| Theft (stealing of equipment or PHI) | 472 (41.5) | 22.2 | Theft committed by outsiders or unknown parties | NA | 370 (32.5) |
| Theft committed by former or current employees | 102 (9.0) | NA | |||
| Unauthorized access or disclosure (if only no other categories apply, such as communication mistakes) | 284 (25.0) | 20.3 | Employee disclosing PHI through mailing mistakes (eg, wrong recipients; sensitive information showing through envelope windows) | 119 (10.5) | NA |
| Employee taking PHI home or forwarding PHI to personal accounts or devices | 74 (6.5) | NA | |||
| Employee accessing PHI without authorization | 39 (3.4) | NA | |||
| Employee disclosing PHI through email mistakes (eg, wrong recipients, cc instead of bcc, unencrypted content) | 32 (2.8) | NA | |||
| Other accidental disclosure of PHI by employees | 20 (1.8) | NA | |||
| Hacking or IT incident (technical intrusions to an entity’s server or computers) | 233 (20.5) | 133.8 | No specification of perpetrators | NA | 70 (6.2) |
| Entity accidentally exposing PHI through Internet | 62 (5.4) | NA | |||
| Malware or virus | NA | 60 (5.3) | |||
| Employee clicking phishing emails | 39 (3.4) | NA | |||
| Hackers using employees' login and password | NA | 2 (0.2) | |||
| Loss (losing equipment or paper records) | 115 (10.1) | 5.7 | Entity losing or misplacing unencrypted equipment (eg, laptop computer) | 53 (4.7) | NA |
| Business associate or mail carrier losing PHI in transportation | NA | 33 (2.9) | |||
| Entity losing or misplacing paper records | 29 (2.5) | NA | |||
| Improper disposal (electronic media not appropriately cleared or purged or paper records not appropriately shredded or destroyed) | 34 (3.0) | 0.7 | Entity not purging PHI saved in electronic devices or inappropriately disposing PHI saved on paper records, x-ray films, or microfilms | 34 (3.0) | NA |
| Total | 1138 | 164 | NA | 603 (53.0) | 535 (47.0) |
Abbreviations: IT, information technology; NA, not applicable; PHI, protected health information.
Internal cause was the health care entities’ own mistake or neglect (eg, theft committed by a former employee).
External causes were all other causes, including cases in which the perpetrators were not specified.
Breaches were located in mobile devices (524 [46.1%]), paper records (326 [28.7%]), and network servers (333 [29.3%]), with multiple locations involved occasionally. Common corrective actions included encrypting and restricting the use of mobile devices when the breached PHI had been stored in those devices; digitizing PHI and enhancing the safety of the storage facility in which paper records were stored; and monitoring or auditing access to and strengthening firewalls for network servers or the cloud.
Among the 232 breaches (20.4%) that occurred during PHI communication, 152 (65.5%) were mailing mistakes and 80 (34.5%) were emailing mistakes. After the breach, before mailing PHI, entities typically adopted mandatory verification of the recipient and the information exposed through envelope windows. Before emailing PHI, entities adopted mandatory verification of the recipient, the copy protocol (bcc vs cc), and the encryption of content.
Discussion
Our analysis of 1138 PHI breaches from 2009 to 2017 that affected 164 million patients indicates that more than half of the cases were not from external causes but were attributable to internal mistakes or neglect. Different storage locations and communication channels have different PHI breach risks. Adopting common corrective actions has the potential to mitigate these risks. These results might not be generalizable to breaches that affect fewer than 500 patients. Healthcare entities must understand the causes of PHI breaches if they aim to effectively manage the trade-off between wider access or higher efficiency and more security.
References
- 1.Blumenthal D, McGraw D. Keeping personal health information safe: the importance of good data hygiene. JAMA. 2015;313(14):1424. doi: 10.1001/jama.2015.2746 [DOI] [PubMed] [Google Scholar]
- 2.Gordon WJ, Fairhall A, Landman A. Threats to information security—public health implications. N Engl J Med. 2017;377(8):707-709. doi: 10.1056/NEJMp1707212 [DOI] [PubMed] [Google Scholar]
- 3.Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471-1473. doi: 10.1001/jama.2015.2252 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 4.Bai G, Jiang JX, Flasher R. Hospital risk of data breaches. JAMA Intern Med. 2017;177(6):878-880. doi: 10.1001/jamainternmed.2017.0336 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 5.Department of Health & Human Services Submit notice of breach to the secretary. https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html. Accessed July 6, 2018.
- 6.Department of Health & Human Services Office for Civil Rights Breach portal: notice to the Secretary of HHS breach of unsecured ported health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed July 6, 2018.