A visit to the doctor can be stressful. The source of your worries is often obvious — like finding out the results of a blood test or whether a sprained ankle will keep you off the track this season.
But now a new worry has emerged, one that threatens to undermine patient confidence in the healthcare system. Researchers have found that the number of breaches of medical data in the United States increased between 2010 and 2013.
This loss of sensitive medical information involved 29 million patient records. Of the 949 breaches reported to the Department of Health and Human Services (HHS) during that time, six of them involved more than 1 million patient records each.
Those figures don’t include breaches this year that have affected more than 90 million people.
In the study, published today in JAMA, researchers found that electronic media — desktop computers, laptops, email, and portable electronic devices — were the most common source of data losses.
Accidental loss or improper disposal of data accounted for 11 percent of the breaches. But criminal activity remained a large part of the equation. In fact, the number of breaches from hacking or unauthorized access increased from 12 percent to 27 percent during those three years.
“The persistent threat of theft and the increase in hacking raise serious security concerns,” the study authors wrote.
Recent Hacking Highlights Medical Data Woes
The HHS database only includes breaches affecting 500 people or more, so it is possible that smaller breaches have gone unreported.
But recent large data breaches in the healthcare industry highlight the extent of the problem. A hacking attack on Premera Blue Cross last month involved 11 million patients. Another attack in February on Anthem affected 80 million.
While the new study shows trends in data breaches, high-profile hacking attacks over the past year have likely raised awareness of the issue even more.
“The extent of how big these data breaches were has gotten everybody’s attention,” said Gregory Fliszar, a member of law firm Cozen O’Connor, which specializes in health law and privacy issues in the healthcare industry.
Health Information Is the New ‘Low-Hanging Fruit’
The data woes of the healthcare industry may shock patients, but it’s not unexpected.
“I think definitely the healthcare industry is the low-hanging fruit,” said Fliszar.
One reason is that hackers and criminals are attracted to the vast treasure trove of medical data stored electronically.
The medical information collected by your doctor or health insurance plan often includes your name, social security number, date of birth, and health plan identification number. This makes credit card information pale by comparison.
“What we’ve learned is that on the black market a complete health record is worth at least 10 times more than credit card information,” said Fliszar.
The high value of medical data is enhanced by the ease with which hackers can access it, compared to data from other industries.
“Most experts believe that, even though the healthcare industry takes it seriously,” said Fliszar, “they tend to be a little bit behind the banking and financial sectors in terms of their protections.”
Data Breaches Sap Patient Confidence
Hackers can sell stolen medical data on the black market. In turn, criminals can use that data to commit identity theft, file false insurance claims, or obtain expensive prescription drugs at a discount and resell them.
But large-scale data breaches may be just as damaging to patients’ confidence in the healthcare system.
“If patients have concerns that their digitized personal health information will be compromised, they will resist sharing it via electronic means, thus reducing its value in their own care and its availability for research and performance measurement,” wrote Dr. David Blumenthal in an accompanying editorial in JAMA.
Some surveys have already found that patients may withhold information from their doctor because of concerns about the safety of that data.
The push toward widespread adoption of electronic health records was intended to cut costs and improve care for patients. To maintain patient confidence, the authors of the JAMA study call for changes in how data is handled by doctors and insurers.
“Strategies to mitigate the risk and effect of these data breaches will be essential to ensure the well-being of patients, clinicians, and healthcare systems,” the study authors wrote.
But “healthcare” in the United States encompasses a wide range of organizations — solo or two-member physician practices, community hospitals or clinics, and massive health systems or health plans.
With this in mind, each part of the industry will need to figure out the best way to protect sensitive medical data.
“The healthcare industry itself has to take a look at what works for them,” said Fliszar, “what works for the physician practice versus the hospital versus the health plan.”