Data breaches that result in the theft or unwanted exposure of patients’ private medical records remains a healthcare industry crisis.

About 14.7 million consumers had their private medical data breached, hacked or stolen in 2017, a year in which there were 477 healthcare data breaches, says the U.S. Department of Health and Human Services Office of Civil Rights. That compares with about 450 healthcare data breaches and 112.1 million consumer or patient medical record violations in 2016—which had been a record year for healthcare data breaches that included the theft of 70 million consumer health records from health insurer Anthem.

Healthcare data breaches happen at least once daily, says the federal government. But a new study based on government data sheds some new light on the type of healthcare organizations must vulnerable to cyberattack. Researchers at the University of Central Florida analyzed 185 hospitals that had a data breach of at least 500 patients.

The research found that 24 hospitals had at least two data breaches in one year, while five hospitals suffered three data attacks or breaches within 12 months and one hospital had four data breaches in one year. The report looked at data breaches by nine provider categories: academic medical center affiliated with a college or university; emergency response, government, physician or group practice; health systems, hospital; skilled nursing facilities and home healthcare; pharmacies; research facilities; laboratories and medical supply companies. Among types of hospitals, large hospitals with more than 500 beds was the provider category with the most data breaches (26%) followed by academic medical centers at 18% and for-profit hospitals at 15%. “Of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches and hospital breaches affected the largest number of individuals,” says Meghan Hufstader Gabriel, an assistant professor in the department of health management and informatics at the University of Central Florida and the lead author of the study.

How data breaches and patient data violations occur also varies, says Hufstader Gabriel. For example, paper and films were the most frequent mode or location of data breaches at hospitals, although the biggest volume of patient data breaches or cybercrime happened when a hospital’s electronic patient record system was breached or hacked. “Data breaches of paper/ films occurred most frequently at 65 hospitals, while data located in laptop computers, email, desktop computers, and electronic health records (EHRs), or network servers were reported in 56 hospitals,” says Hufstader Gabriel.

 The numbers of patient health information breaches from e-mail in 34 hospitals and desktop computers in 33 hospitals were approximately equal during the study period. EHR data breaches happened in 19 hospitals. Network server breaches occurred in 10 hospitals and these breaches compromised 4.6 million records.

Other study results include:

• The types of data breaches and the number of individuals affected by those types of breaches varied significantly among hospitals.
• Hacking and information technology incidents from 27 hospitals affected the most patients at about 4.7 million.

“Hospitals are vulnerable to data breaches, but investment in data security is lacking,” says Hufstader Gabriel. “Although hospital investments in technology have been implemented to meet meaningful use and other federal requirements, protecting digitized patient data has not been a central focus.”

The type of cybercrime and patient data breaches at hospitals shows that hospitals still have a problem in securing both paper and digital medical records, says Michael Ebert, a partner in the Philadelphia office of KPMG’s Advisory Services leader in the Cyber (Security, Privacy and Continuity) practice focused on healthcare life science.

“There is still a lot of paper in healthcare, and data is everywhere,” he says. “Every single device has some kind of protected health information on it. There is no more intensive information technology than in healthcare.” he says.

Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.