Healthcare data breaches decline, but ACA could be increasing risks

The number of data breaches of patient health information, and the financial impact of those breaches both declined in 2013, although concerns over patient privacy and information security remained high due to provisions of the Affordable Care Act (ACA).

Those were among the findings of the fourth annual “Benchmark Study on Patient Privacy & Data Security” conducted by the Ponemon Institute, a healthcare research and education organization. The study also found that while the number of organizations reporting criminal attacks on patient data has doubled since 2010, employee negligence remains by far the largest reason for data breaches.

Ninety percent of healthcare organizations in the study reported having had at least one data breach during the previous two years, with 38% reporting five or more breaches, compared with 45% who had reported five or more in last year’s report. “This, coupled with an increase in organizations’ level of confidence in data breach detections suggests that modest improvements have been made in reducing threats to patient data,” the report says.

Slightly more than two-thirds of responding organizations (69%) felt that provisions of the ACA have the effect of increasing or significantly increasing risks to patient privacy and security. The main reasons for concern include insecure exchange of patient information between healthcare providers and government organizations, lack of security of the databases containing patient information, and patient registering for healthcare over insecure websites.

Next: Can business associates detect and act on data breaches?

Changes to the Health Insurance Portability and Accountability Act (HIPAA) in 2012 made business associates of HIPAA-covered businesses also responsible for safeguarding protected health information. But nearly three-quarters of survey respondents said they were “not confident” or only “somewhat confident” that their business associates could detect a data breach incident, perform an incident risk assessment, and notify them as required under a HIPAA business associate agreement. While most of the causes of breaches have stayed fairly consistent over the four years in which the survey has been conducted, only 20% of respondents reported a criminal attack in 2010, compared with 40% in 2013.

The financial impact of data breaches in the study ranged from less than $10,000 to more than $1 million over a two-year period. Based on the ranges reported in the study, its authors calculated the average impact to be $1.97 million. That represents a decrease of $400,000, or about 17%, compared with the previous year.

The most common reason given for a data breach (49%) was a lost or stolen computing device. That was followed by “unintentional employee action” (46%), “third-party snafu” (41%), “criminal attack” (40%), “technical systems glitch,” (32%), “malicious insider (12%), and “intentional non-malicious employee action (8%). (Respondents were permitted more than one choice.)