Report: 94% of US hospitals suffered data breaches, and 45% had quintuplets

FILED UNDER: Data lossFeaturedPrivacySecurity threatsVulnerability

Competent healthcare providers are great at medical things, be it measuring fasting blood sugar to diagnose diabetes, swabbing the backs of our throats, or clearing plaque off our grubby molars.

Securing electronic devices or health records? Not so much.

That's the takeaway from a study from the Ponemon Institute, which surveyed 80 healthcare organisations in the US and found that 75% don't secure medical devices containing sensitive patient data, while 94% have leaked data in the last two years (mostly due to staff negligence).

Data breach involving loss of patient data in last two years

Fittingly enough, the study, the Third Annual Benchmark Study on Patient Privacy & Data Security [PDF], was paid for by ID Experts, a firm that sells identity-theft protection services.

The study also found that 69% of respondent organisations don't secure FDA-approved medical devices such as insulin pumps or wireless heart pumps.

The thinking being, most likely, that securing such devices just isn't healthcare's job, the report suggests:

"This finding may reflect the possibility that they believe it is the responsibility of the vendor - not the health care provider - to protect these devices."

Indeed, concerns over medical device security recently prompted the US Government Accountability Office (GAO), with prodding from Congress, toissue a report recommending that the US Food and Drug Administration (FDA) start thinking about how to secure insulin pumps and implantable defibrillators from being vulnerable to targeted attacks.

Meanwhile, just as medical providers move toward electronic records and health information exchanges where they can share files, the survey finds that cyberattacks against healthcare organisations are growing in frequency.

That's underlined by the frequent headlines detailing data breaches at medical facilities.

Here are just three of the healthcare breach headlines that have appeared since 30 November 2012:

  • Alere Home Monitoring in Waltham, Mass., which reported that more than 100,000 patients were affected by a breach involving a stolen laptop.
  • University of Virginia Medical Center's Continuum Home Infusion likewise reported that almost 2,000 patients were affected by a breach stemming from a pharmacist losing a USB stick.
  • For its part, Christus St John Hospital in Houston told an undisclosed number of patients who participated in the St John Sports Medicine program that an unencrypted USB drive containing sensitive information had gone missing, according to 


Obviously, as with many industries, human error is at the heart of most data breaches, be it stolen laptops, lost USB memory sticks, or misplaced fill-in-the-blank devices.

As it goes with rocket scientists, so too does it go with healthcare providers: Ponemon Institute's survey found that the top three causes for data breaches at healthcare providers were, in fact, lost or stolen computing devices, employee mistakes, and third-party snafus.

The price of all these breaches is increasing. Ponemon calculates that the average cost to a breached organisation will hit $2.4 million over the course of two years, up slightly from $2.2 million in 2011 and $2.1 million in 2010.

Computer with stethoscope. Image from Shutterstock

The study relies on 324 interviews with 80 healthcare organisations, including hospitals or clinics that are part of a healthcare network (46%), integrated delivery systems (36%) and standalone hospitals or clinics (18%).

The participants came from diverse departments: security, administrative, privacy, compliance, finance and clinical.

Here are more findings from the report:

  • 94% of organisations had at least one data breach in the last two years. The average number for each participating organisation was four data breach incidents in the past two years.
  • The average economic impact of a data breach over the past two years for the responding healthcare organisations was $2.4 million. That's up almost $400,000 since the study was first conducted in 2010.
  • The average number of lost or stolen records per breach was 2,769. The types of lost or stolen patient data most often included medical files and billing and insurance records.
  • 52% discovered the data breach as a result of an audit or assessment, 47% discovered the data breach through employees.
  • More than half (54%) of organisations have little or no confidence that their organisation has the ability to detect all patient data loss or theft.
  • 81% permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their organisation's networks or enterprise systems. However, 54% of respondents say they are not confident that these personally owned mobile devices are secure.
  • 91% of hospitals surveyed are using cloud-based services, yet 47% lack confidence in the ability to keep data secure in the cloud.
  • Despite recent attacks on medical devices, 69% of respondents say their organisation's IT security and/or data protection activities do not include the security of FDA-approved medical devices.

It's interesting to note that while 94% of respondents had at least one data breach in the previous two years, 45% report that they had more than fiveincidents. That's up from only 29% that reported birthing data breach quintuplets (sorry! Couldn't resist!) in 2010.

What's up with that? Ponemon suggests that that particular finding underlines the importance of "determining the cause of a breach and what steps need to be taken to address areas potentially vulnerable to future incidents."

Fair enough.

Translate that into English, and you'll likely arrive at a number of conclusions, one of which NASA came up with, after a string of data breaches.

To wit: after the US space agency suffered yet another unencrypted laptop theft in November 2012, it scrambled to require full-disk encryption agency-wide.

General Manchester PoliceOr perhaps, similarly, these strings of healthcare data breaches will lead to rules that lead to enforcement of encryption on USB keys.

That's a lesson the Greater Manchester Police learned the hard way after an unencrypted USB key was stolen from an officer's home - a data breach for which the UK Information Commissioner's Office slapped them with a £150,000 fine.

Unfortunately, medical skills can't be delivered in a vacuum nowadays. They can't be delivered without concern for security.

Here's hoping that our very smart, very capable healthcare organisations can stem this epidemic of security fumbles.


15 Recent Healthcare Data Breaches

The following is a roundup of healthcare data breaches reported in the last 30 days, beginning with the most recent:

1. Laptops Stolen from New York Podiatrist's Office Contained 6,475 Patients' Information
Poughkeepsie, N.Y.-based Sims and Associates Podiatry notified patients of a data breach that occurred when its office was burglarized and three laptops containing patients' personal and health information were stolen.

2. Tufts Health Plan Reports Data Theft Affecting 8,830 Medicare Subscribers
Watertown, Mass.-based Tufts Health Plan reported the theft of the personal information of 8,830 Medicare subscribers.

3. Laptop Containing Patient Information Stolen From Coordinated Health
Bethlehem, Pa.-based Coordinated Health notified patients of a data breach that occurred when a laptop containing patient information was stolen from an employee's vehicle.

4. Parallon Business Solutions Insider Breach Affects Patients in New Hampshire
Franklin, Tenn.-based Parallon Business Solutions, which provides billing services to many healthcare providers in 
New Hampshire, notified 40 New Hampshire residents their personal and health information was compromised in an insider data breach.

5. UPMC Reports 27,000 Victims of Data Breach
Pittsburgh-based UPMC reported the number of employees affected by a data breach at its facility has risen from 322 to as many as 27,000.

6. University Urology Notifies 1,144 Patients Their PHI Was Provided to a Competing Provider
Knoxville, Tenn.-based University Urology announced a data breach that occurred when patients' protected information was compiled by an administrative employee and provided to a competing healthcare provider for the purpose of soliciting patient business.

7. Lubbock Cardiology Clinic Announces Data Breach Affecting 1,400 Patients
Lubbock (Texas) Cardiology Clinic announced a data breach involving unauthorized access to 1,400 of its patients' medical records.

8. Midwest Orthopaedics at Rush Announces Data Breach Affecting 1,200 Patients
Chicago-based Midwest Orthopaedics at Rush notified more than 1,200 patients their personal and health information may have been compromised in February when an unknown person accessed a physician's Gmail account.

9. Data Breach at La Palma Intercommunity Hospital
La Palma (Calif.Intercommunity Hospital notified patients their medical records and personal information were illegally viewed by a former employee of the hospital.

10. Michigan Long Term Care Security Breach Affects 2,595 Patients
The Michigan Department of Community Health announced a data breach that occurred when a laptop and flash drive containing 2,595 patients' personal and health information were stolen from an employee of the Michigan Long Term Care Ombudsman's Office.

11. Kaiser Permanente Notifies Patients of Data Breach Caused by Malware
The Kaiser Permanente Northern California Division of Research in 
OaklandCalif., notified patients their personal and health information was compromised when its research server was infiltrated by malware.

12. Billing Service Data Breach Caused by Alleged Identity Thief
Salem (Va.) Hospitalists, a medical group practice, notified patients of a data breach caused when a contractor's former employee who is being investigated for identity theft accessed their personal and health information.

13. Subcontractor Error Exposes 3,100 Alabama Patients' Medical Data
Decatur, Ala.-based PracMan, a billing company utilized by many 
Alabama physicians, announced a subcontractor caused a data breach that exposed the personal and health information of 3,100 patients.

14. CHI's Franciscan Medical Group Suffers Data Breach Caused by Phishing Scam
Tacoma, Wash.-based Franciscan Medical Group notified patients their personal and health information has been compromised due to a phishing scam.

15. Palomar Health Data Breach Affects 5,000 Patients
Escondido, Calif.-based Palomar Health notified 5,000 patients their personal and health information was compromised when a laptop and two flash drives were stolen from a Palomar Health employee.