As the adoption of electronic record and health information technology rapidly expands, hospitals and other health providers increasingly suffer from data breaches.1 A data breach is an impermissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or human error.2,3 Policy makers, hospital administrators, and the public are highly interested in reducing the incidence of data breaches. In this retrospective data analysis, we use data from the Department of Health and Human Services (HHS) to examine what type of hospitals face a higher risk of data breaches.

Methods

Under the Health Information Technology for Economic and Clinical Health Act of 2009, all heath care providers covered by the Health Insurance Portability and Accountability Act must notify HHS of any breach of protected health information affecting 500 or more individuals within 60 days from the discovery of the breach. The Department of Health and Human Services publishes the submitted data breach incidents on its website, with the earliest submission date as October 21, 2009. We were able to link 141 acute care hospitals to their 2014 fiscal year Medicare cost reports filed with the Centers for Medicare and Medicaid Services (CMS). The unlinked hospitals include long-term care hospitals, Veterans Affairs and military hospitals, hospital systems, and hospitals unidentifiable in the CMS data set. We applied multivariable and regression analyses to compare these 141 hospitals with other acute care hospitals to understand what type of hospitals face a higher risk of breaches.4 Statistical analysis was performed with SAS 9.4 (SAS Institute Inc) and STATA 14 (StataCorp LLC). For statistical analysis, t tests were used, and P < .05 was considered significant.

Results

Between October 21, 2009, and December 31, 2016, 1798 data breaches were reported.5 Among them, 1225 breaches were reported by health care providers and the remaining by business associates, health plans, or health care clearing houses. There were 257 breaches reported by 216 hospitals in the data, with median (interquartile range [IQR]) 1847 (872-4859) affected individuals per breach; 33 hospitals that had been breached at least twice and many of which are large major teaching hospitals (Table 1). Table 2 lists hospitals with more than 20 000 total affected individuals. For the 141 acute care victim hospitals linked to their 2014 CMS cost reports, the median (IQR) number of beds was 262 (137-461) and 52 (37%) were major teaching hospitals. In contrast, among 2852 acute care hospitals not identified as having breaching incidents, the median (IQR) number of hospital beds was 134 (64-254), and 265 (9%) were major teaching hospitals. Hospital size and major teaching status were positively associated with the risk of data breaches (P < .001).

Discussion

A fundamental trade-off exists between data security and data access. Broad access to health information, essential for hospitals’ quality improvement efforts and research and education needs, inevitably increases risks for data breaches and makes “zero breach” an extremely challenging objective. The evolving landscape of breach activity, detection, management, and response requires hospitals to continuously evaluate their risks and apply best data security practices. Despite the call for good data hygiene,6 little evidence exists of the effectiveness of specific practices in hospitals. Identification of evidence-based effective data security practices should be made a research priority.

This study has 3 important limitations. First, data breaches affecting fewer than 500 individuals were not examined. Second, since each victim hospital was matched to CMS cost report based on the name and state, the matching might be incomplete or inaccurate for some hospitals. Finally, our analysis is limited to the hospital industry. Future studies that examine the characteristics of other types of health care entities that experienced data breaches are warranted.

Back to top Article Information

Corresponding Author: Ge Bai, PhD, CPA, The Johns Hopkins Carey Business School, Bernstein-Offit Bldg 353, 1717 Massachusetts Ave NW, Washington, DC 20036 (gbai@jhu.edu).

Published Online: April 3, 2017. doi:10.1001/jamainternmed.2017.0336

Author Contributions: Dr Bai had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.

Study concept and design: All authors.

Acquisition, analysis, or interpretation of data: Bai, Jiang.

Drafting of the manuscript: All authors.

Critical revision of the manuscript for important intellectual content: All authors.

Statistical analysis: Bai, Jiang.

Administrative, technical, or material support: All authors.

Supervision: Bai, Jiang.

Conflict of Interest Disclosures: None reported.

Additional Contributions:We acknowledge the valuable comments from Gerard F. Anderson, PhD, and technical support from Jianbo Liu, PhD; they did not receive compensation.