While the largest number of data breaches took place at healthcare providers—hospitals, physician offices and other provider settings—breaches involving the greatest number of patient records took place at health plans.

A big Boston hospital that just released a much-publicized report on the growing incidents of healthcare data breaches itself just paid the federal government a $515,000 to settle charges of violating HIPAA.

Earlier this week, the U.S. Department of Health and Human Services Office for Civil Rights announced that it has reached separate settlements with Boston Medical Center, Brigham and Women’s Hospital and Massachusetts General Hospital for compromising the privacy of patients’ protected health information by inviting film crews on premises to film an ABC television network documentary series, without first obtaining authorization from patients.

To settle its charges, Massachusetts General Hospital, a big user of digital and mobile healthcare technology and with a network of 2,405 physicians and more than 1,000 beds, will pay the federal government $515,000 and take other corrective actions to close out a 2014 incident that the Office of Civil Rights alleged was a violation of the Health Insurance Portability and Accountability Act.

Specifically, the Office of Civil Rights says the three Boston hospitals gave out patients’ confidential medical data to ABC before it got permission from patients to do so. ABC was filming a documentary series in late 2014 and early 2015 on trauma care when the HIPAA violation occurred, says Office for Civil Rights director Roger Severino.

“Patients in hospitals expect to encounter doctors and nurses when getting treatment, not film crews recording them at their most private and vulnerable moments,” Severino says. “Hospitals must get authorization from patients before allowing strangers to have access to patients and their medical information.”

advertisement
Massachusetts General researchers found that health plans accounted for the greatest number of patient records breached over the past seven years.

The Office of Civil Rights didn’t say how many patients had their medical data violated. In addition to the fine, Massachusetts General Hospital will provide workforce training as part of a corrective action plan. At the same time Massachusetts General Hospital is settling an alleged HIPAA violation, researchers at the big New England healthcare system also have published a much-publicized report on the rampant and spreading problem health systems continue to have with data breaches and the exposure of confidential medical records.

Massachusetts General researchers found that health plans accounted for the greatest number of patient records breached over the past seven years. While the largest number of data breaches took place at healthcare providers—hospitals, physician offices and other provider settings—breaches involving the greatest number of patient records took place at health plans.

Researchers examined 2,149 data breaches involving a total of 176.4 million patient records, with individual breaches ranging from 500 to almost 79 million patient records, Massachusetts General says. Over the seven-year period, the total number of breaches increased every year (except in 2015) from 199 in 2010 to 344 in 2017. While 70% of all data breaches took place at a healthcare provider facility, breaches involving health plans accounted for 63% of all breached records.

The most common type of breach in 2010 was theft of physical records, but by 2017 data hacking or other information technology incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data, says Massachusetts General. Similarly, the most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers.

advertisement

“While the total of 510 breaches of paper and film records impacted about 3.4 million patient records, the 410 breaches of network servers impacted nearly 140 million records; and the three largest breaches together accounted for a bit more than half of all records breached,” says Thomas McCoy, a physician and director of research at the MGH Center for Quantitative Health. “As we work to make breaches less common and less consequential, we need to better understand systemic risk factors for data breach and the harms that arise from data disclosure.”

Keep up with latest coverage on digital healthcare by signing up for Internet Health Management News today.

Favorite