29 million US health records exposed by data breaches between 2010 and 2013

Approximately 29 million health records were affected by data breaches between 2010 and 2013 in the US — 67 percent of which were stored electronically, according to a study published in the Journal of the American Medical Association today. These data breaches involved unencrypted information that could be identified and tied back to individuals. And what’s worse is that the study indicates that these data breaches are on the rise.

“The personal health information of patients in the United States is not safe,” write Commonwealth Fund physician David Blumenthal and health care lawyer Deven McGraw, in an editorial published alongside the study today. “And it needs to be.”

Overall, 58 percent of the data breaches occurred via theft. The other 42 percent had to do with loss or improper disposal of data, unauthorized access or disclosure of health information, and hacking or information technology incidents. In 67 percent of cases, data breaches involved health information stored electronically. And most of the time, these breaches were connected to laptop computers and portable electronic devices, like cell phones and tablets.

But the frequency of these data breaches might actually be the most worrisome aspect of this study. In 2013, the frequency of breaches that occurred through hacking, unauthorized access, or unauthorized disclosure increased to 27 percent, from 12 percent just three years prior. And the frequency could increase further still, the researchers say.

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services… the frequency and scope of electronic health care data breaches are likely to increase,” the researchers write in the study. These security breaches could involve everything from health sensors and gene sequencing technology, to predictive analytics and personal health records.

To get these numbers, the researchers sifted through a government database containing information about data breaches involving unencrypted health information reported by clinicians and health plans. They analyzed reports of data breaches involving 500 individuals or more — about 82 percent of reports, or 949 breaches total. All the health information was protected by the Health Insurance Portability and Accountability Act (HIPAA), an act designed to protect the confidentiality and security of health care information.

The fact that 29 million electronic health records were exposed through data breaches between 2010 and 2013 doesn’t mean that 29 million individual Americans suffered a data breach of this sort during those three years. It’s entirely possible that certain individuals were hit more than once, or that some of the health information was duplicated elsewhere. Still, it looks like millions of people in the US have been victims of an invasion of privacy. Moreover, because the researchers only analyzed data breaches involving 500 people or more, the “29 million electronic health records” they report is definitely an underestimation.

Overall, the study paints a pretty depressing picture for those who think electronic records could reduce the cost of health care as whole, while improving its accuracy and speed. If these data breaches persist, Blumenthal and McGraw write, it’s possible that people will start to resist the idea of sharing their health information via electronic means, which could reduce its value for individual care and its availability for research. “The stakes associated with the privacy and security of personal health information are huge” — and these “threats to the safety of health care data need much more focused attention than they have received in the past.”