Medical data breaches most often caused by theft

An analysis of HHS information finds the biggest security leaks come from stolen laptops and removable memory technology. The take-home message: Keep devices locked up.

By Pamela Lewis Dolan — Posted Sept. 3, 2010

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The best defense physician practices can take against data breaches might be to keep a more watchful eye for thieves.

The Health Information Trust Alliance in August published an analysis of the 108 breaches that were reported to the Dept. of Health and Human Services from Sept. 23, 2009, to mid-July. The study found that the only type of breach experienced by every industry sector -- and often the biggest cause of a breach -- was theft. Health plans and physician practices were the biggest targets.

The analysis found that 68 of the 108 reported breaches were the result of theft. Of those thefts, 24 were at physician practices and involved a total of 318,478 patient records (link).

Most commonly, laptops and removable devices -- such as disk drives and thumb drives -- were stolen.

"What the HHS data tells us ... is that this specific segment, physician practices, should make laptop/mobile device protection the No. 1 priority from a security perspective, but this should be one item on a list of many," said the study's author, Christopher Hourihan.

Health care organizations and their business associates are required by federal law to report breaches that affect more than 500 people to HHS and the media.

The report cites a 2009 study by the Ponemon Institute that placed the average cost of security breaches at $204 per medical record -- $144 in indirect costs, such as lost business, and $60 in direct costs, such as setting up credit monitoring for victims.

The report found that the cost of a security breach has gotten more expensive each year since 2005, when it was estimated at $138 per record.

In addition to better vigilance when it comes to securing laptops and mobile devices, Hourihan said practices should consider investing in encryption technology. Encryption is considered the safe harbor for data breaches. Encrypted data require no outside notice because the risk of the data being accessed is very low, according to revised rules from the Health Insurance Portability and Accountability Act.

"From a notification and compliance perspective, if these devices were all encrypted, the cost of someone taking a device would be no more than the cost of replacing the device and initial cost of the encryption solution," Hourihan said "However, when you factor in the average cost of notification due to a breach, which is a requirements of HHS, the ROI [return on investment] is in favor of an encryption solution."

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn