Table. Protected Health Information Breach Causes.
| US Department of Health and Human Services Breach Category | Frequency (N = 1138), No. (%) | Patients Affected, Millions | Detailed Cause | No. (%) | |
|---|---|---|---|---|---|
| Internala | Externalb | ||||
| Theft (stealing of equipment or PHI) | 472 (41.5) | 22.2 | Theft committed by outsiders or unknown parties | NA | 370 (32.5) |
| Theft committed by former or current employees | 102 (9.0) | NA | |||
| Unauthorized access or disclosure (if only no other categories apply, such as communication mistakes) | 284 (25.0) | 20.3 | Employee disclosing PHI through mailing mistakes (eg, wrong recipients; sensitive information showing through envelope windows) | 119 (10.5) | NA |
| Employee taking PHI home or forwarding PHI to personal accounts or devices | 74 (6.5) | NA | |||
| Employee accessing PHI without authorization | 39 (3.4) | NA | |||
| Employee disclosing PHI through email mistakes (eg, wrong recipients, cc instead of bcc, unencrypted content) | 32 (2.8) | NA | |||
| Other accidental disclosure of PHI by employees | 20 (1.8) | NA | |||
| Hacking or IT incident (technical intrusions to an entity’s server or computers) | 233 (20.5) | 133.8 | No specification of perpetrators | NA | 70 (6.2) |
| Entity accidentally exposing PHI through Internet | 62 (5.4) | NA | |||
| Malware or virus | NA | 60 (5.3) | |||
| Employee clicking phishing emails | 39 (3.4) | NA | |||
| Hackers using employees' login and password | NA | 2 (0.2) | |||
| Loss (losing equipment or paper records) | 115 (10.1) | 5.7 | Entity losing or misplacing unencrypted equipment (eg, laptop computer) | 53 (4.7) | NA |
| Business associate or mail carrier losing PHI in transportation | NA | 33 (2.9) | |||
| Entity losing or misplacing paper records | 29 (2.5) | NA | |||
| Improper disposal (electronic media not appropriately cleared or purged or paper records not appropriately shredded or destroyed) | 34 (3.0) | 0.7 | Entity not purging PHI saved in electronic devices or inappropriately disposing PHI saved on paper records, x-ray films, or microfilms | 34 (3.0) | NA |
| Total | 1138 | 164 | NA | 603 (53.0) | 535 (47.0) |
Abbreviations: IT, information technology; NA, not applicable; PHI, protected health information.
a
Internal cause was the health care entities’ own mistake or neglect (eg, theft committed by a former employee).
b
External causes were all other causes, including cases in which the perpetrators were not specified.