Protected Patient Data Increasingly Being Stolen

The sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics. Staff interviewed included security, administration, privacy, compliance, finance, and clinical personnel. An average of four staff members were interviewed per site.

The results showed that the number of data breaches involving protected health information rose by 32% from 2010, with 3 out of 10 respondents (29%) reporting that a data breach resulted in medical identity theft. Two out of five respondents (41%) blamed data breaches on employee negligence, such as not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices, while 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches. The breaches were most often detected by an employee (51%), but were also detected through audits and assessments (43%) and patient complaints (35%).

The survey revealed that more than 80% of healthcare facilities use mobile devices to transmit, store, and collect protected patient health information, but half of respondents said those devices were unsecured. Although 83% of hospitals had a written policy and procedure for contacting authorities in the event of a data breach, 57% did not think the policies were effective at curbing breaches; more than half of respondents said they had little or no confidence that all breaches were detected, and 57% had little or no confidence that all patient data loss or thefts had been detected.

The researchers outlined steps for patients to secure data and prevent future breaches, loss, or adverse effects of a loss. These included reading explanation of benefits and Medicare summary notices for missing goods or services; keeping online account passwords secure by using different passwords for each account, and making passwords not easily guessable; avoiding phishing emails, texts, and phone calls that may compromise personal data; contacting government agencies to keep a flag on personal files; and monitoring financial accounts for suspicious activity.

For healthcare organizations, the researchers further suggested creating inventories of private health data, including information about how that data is collected, used, stored, and disposed of; establishing an incident response plan that designates roles and creates guidelines in the event of a breach; and reviewing contracts and agreements made with third-party information handlers.

Related Links:
Ponemon Institute