AJMC Report Discloses Usual Characteristics of Hospital Data Breaches


The American Journal of Managed Care has issued a report on hospital data breaches in the United States. The purpose of the report was to find usual features of hospital data breaches, what the main problem areas are, the main reasons for security cases and the kinds of information most at risk.

The report disclosed hospitals are the most usually breached kind of healthcare provider, accounting for roughly 30% of all big healthcare safety cases informed to the Department of Health and Human Services’ Office for Civil Rights by suppliers between 2009 and 2016.

Over that 7-year time period, there were 215 breaches informed by 185 nonfederal acute care hospitals and 30 hospitals experienced several breaches of 500 or more healthcare files. One hospital suffered 4 separate breaches in the past 7 years, five hospitals had 3 breaches, and 24 hospitals suffered 2 breaches. In addition to hospitals experiencing the highest proportion of security breaches, those breaches also led to the theft/exposure of the highest number of health files.


The kinds of data breaches most usually suffered were theft cases, which had been informed by 112 hospitals. Illegal access/disclosures were in second place with cases informed by 54 hospitals. Hacking/IT cases were third and were behind 27 hospital data breaches.

Multivariate logistic regression analyses were carried out to study factors linked with hospital data breaches. The scientists found substantial differences between hospitals that had suffered a data breach and those that had not.

Training hospitals and pediatric hospitals were found to be the most vulnerable to data breaches. 18% of training hospitals had suffered at least one data breach, compared to 3% without a breach. Six percent of pediatric hospitals had suffered a breach compared to 2% that had not.

Bigger hospitals were also more prone to data breaches than smaller facilities. 26% of big hospitals had suffered a data breach, compared to 10% that had no breaches. Investor-owned hospitals had informed fewer breaches than not-for-profit hospitals.

There were no substantial differences based on the level of IT sophistication, health system membership, biometric security use, hospital area, or region features.

The scientists suggest that although hospitals have financed in technology and have digitized health data to meet Meaningful Use requirements, safety has not been a main focus and financing in data safety has been lacking. Hospitals are usually just spending 5% of their IT budgets on safety and that needs to improve if hospital data breaches are to be avoided. Safety measures also need to be improved for paper/films to decrease the chance of illegal access and theft.

The scientists propose hospitals should be carrying out consistent audits to decide who is accessing PHI, while audits of data safety protections will help hospitals identify weaknesses before they are abused.

The use of biometric identifiers can restrict the potential for illegal access of ePHI and 2-Factor verification must be applied on all user accounts.

The scientists also suggest access to PHI must be restricted to the minimum necessary amount to let workers finish their work duties. By limiting access, the harshness of data breaches will be decreased.