Will we ever know the number of data breaches in healthcare?

We’ve seen hospitals get hit with ransomware, health insurers report breaches of thousands of records over the last several years, and we still hear about stolen laptops on the local news from time to time. But what we see reported by the media is only the smallest fraction of the breaches that are happening to the healthcare industry according to a new survey released by the Ponemon Institute.

The Ponemon Institute researches privacy, data protection & information security policies. They recently surveyed 91 healthcare organizations & 84 business associates working with the healthcare industry, only 11% of the healthcare organizations surveyed did not have a breach in the last 24 months. Businesses providing services to the industry fared much better with 39% reporting no breaches in the last 2 years.

As part of the Affordable Care Act, healthcare entities must report breaches affecting 500 or more individuals to the Office for Civil Rights at the Dept. of Health & Human Services. In Colorado last year, there were 3 breaches reported; in California there were 35.  However the size of breaches and number of breaches reported in the survey tells a different story.

  • 23% of the breaches reported by healthcare organizations in the survey involved 5,000+ records.
  • 32% of the breaches reported by business associates in the survey involved 5,000+ records.
  • 22% & 17% respectively fall into a gray area (101-1,000 records) where it is unclear if reporting would have been necessary.

If these numbers can be extrapolated to the rest of the industry, the OCR database is a good starting point, but doesn’t list anywhere near the true scope of data breaches facing the healthcare industry.

The only reported breaches in Colorado were the VA Eastern Colorado Health Care System, the Colorado Department of Health Care Policy and Financing, and the University of Colorado Health.

For all the breaches that might be missing from the OCR database, there is not another public database that relies on self reporting to give us insight to the data breaches facing other industries. For those, we are still the the dark.

Interested in breaches reported in your state? Check out the Office of Civil Rights’ interactive tool for breaches going back to 2009.

Leave a Reply

Your email address will not be published. Required fields are marked *