This from the HealthLeaders Media article here: Cheryl Clark, for HealthLeaders Media , April 15, 2015 - http://www.healthleadersmedia.com/print/TEC-315329/6-in-10-Health-Data-Breaches-Due-to-Criminal-Activity.
Find the full report in the Journal of the American Medical Association here -
HealthLeaders Media reports -
"Theft, illegal hacking, and other breaches of protected health information have compromised 29 million medical records in 949 incidents between 2010 and 2013, spelling out a crying need for better data security", according to a report published in JAMA."
According to the study's author, "theft of paper or electronic records accounted for the majority" of the incidents. "Protecting the security and privacy of patient data needs to be a priority in many different venues, and with all types of patient data, including paper records."
Five states, California, Texas, Florida, New York, and Illinois, accounted for 34% of all reported breaches.
Of the 949 incidents encompassed within the study, 273 involved an external vendor, such as a healthcare system partner, an insurer, or a business that uses the data for analytics or quality reporting.
Associated with the JAMA study is an editorial coauthored by David Blumenthal, MD, of the Commonwealth Fund and former National Coordinator for the Office of the National Coordinator, that charges that policy makers are partly to blame.
Find the editorial, also by Deven McGraw here -
"They should create stronger penalties and incentives for organizations to be more careful with the data, [Blumenthal] says, acknowledging that it's a difficult task because they're "still trying to influence providers and organizations to understand that we live in a different age."
According to Blumenthal and McGraw, more than 80% of the data breaches reported by Liu result from a "mundane and correctible problem: the failure of covered entities to observe what might be called good data hygiene" such as:
· Failure to encrypt their own data
· Allowing storage of patients' personal health information on employees' personal devices
· Not requiring sound practices to authenticate authorized users
Complicating the solution is the lack of clarity provided by federal rules on data protection,Health Insurance Portability and Accountability (HIPAA) and the Health Information Technology for Economic and Clinical Health Acts (HITECH), and the desire of the health care providers and IT ventures not to be further regulated.
Read the entire article. It further highlights Blumenthal and McGraw and suggests that if the federal government doesn't step in, various states will. It ends with a Blumenthal prediction -
"But I suspect we'll have some scandals and events that outrage people before this happens. That's regrettable, but it's the way our democracy works. And in the meantime, you can pretty much anticipate that due to inattention and lack of care, and to a lesser extent hacking, there will be large data breaches of increasing size and concern."