Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

February 22, 2018
by Heather Landi
| Reprints

Even with sophisticated health information technology (IT) systems in place, security breaches continue to affect hundreds of hospitals and compromise thousands of patients’ data. Researchers at the College of Health and Public Affairs, University of Central Florida, and at the United States Air Force Joint Base in Charleston, South Carolina conducted a study to examine what other hospital factors may play a vital role in breach risk.

The study, published in the American Journal of Managed Care, examined the locations in hospitals were data breaches occur, including the types of breaches that occur most often at hospitals, and hospital characteristics, including health information technology (health IT) sophistication and biometric security capabilities, that may be predicting factors of large data breaches that affect 500 or more patients.

The study findings indicated that, of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches and hospital breaches affected the largest number of individuals.

Despite the high level of hospital adoption of electronic health records (EHRs) and federal incentives to do so, paper and films were the most frequent location of breached data, occurring in 65 hospitals during the study period. Interestingly, network servers were the least common location, the study found, but network server breaches affected the most patients overall.

The study findings also indicated significant associations among data breach occurrences and some hospital characteristics, including type and size, but not others, including health IT sophistication or biometric use for security.

For the study, researchers linked breach data from the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) regarding breaches at healthcare providers that affected 500 or more individuals from 2009 to 2016, with hospital characteristics from the Health Information Management Systems Society (HIMSS) and the American Hospital Association (AHA) Health IT Supplement databases.

The researchers used descriptive statistics to characterize hospitals with and without breaches, data breach type, and location/mode of data breaches in hospitals. Multivariate logistic regression analysis explored hospital characteristics that were predicting factors of a data breach affecting at least 500 patients, including area characteristics, region, health system membership, size, type, biometric security use, health IT sophistication, and ownership.

Of all types of healthcare providers, hospitals accounted for approximately one-third of all data breaches, and the most individual patients were impacted when hospitals were breached compared with other types of healthcare providers, such as doctors, nurses, and social workers. Paper and films were the most frequent location of breached data, occurring in 65 hospitals during the study period. These paper and film breaches occurred mostly due to theft, improper disposal, and unauthorized access. However, the overall number of patients affected by these breaches was relatively small.

Conversely, network servers were found to be the least frequent location of data breaches, but these breaches impacted the most patients overall. In addition, this study found that there were large numbers of thefts of laptops, which can easily be physically removed and stolen regardless of EHR or biometric security system implementation.

Data located in “other locations,” such as breaches not from paper/films, laptop computers, email, desktop computers, EHRs, or network servers, were reported in 56 hospitals and were the second most prevalent. Laptops were the third most prevalent location of breached data, reported in 51 hospitals. The numbers of unsecured personal health information (PHI) breaches from email (in 34 hospitals) and desktop computers (in 33 hospitals) were approximately equal during the study period. EHR data breaches occured in 19 hospitals. Although network server breaches occurred most infrequently (in 10 hospitals), these breaches compromised the highest number of individuals (4,613,858 affected).

Thefts occurred most frequently (in 112 hospitals), followed by unauthorized access/disclosure (in 54 hospitals), whereas hacking/IT incidents from 27 hospitals affected the most individuals (4,685,426).

The study findings also showed significant associations among data breach occurrences and some hospital characteristics, including type and size. Pediatric hospitals and teaching hospitals were found to be at increased risk for breaches.

What’s more, the study found that the presence of capability and infrastructure support for biometrics and high health IT sophistication were not significantly associated with data breach risk.

Drilling down further, significant differences were found between hospitals that had at least one breach and hospitals that did not have a breach affecting 500 or more individuals during the study period. Specifically, teaching hospitals (18 percent with a data breach vs 3 percent without a breach) and pediatric hospitals (6 percent with a breach vs 2 percent without) had higher percentages of data breaches. Larger hospitals also had a higher percentage of data breaches (26 percent with a data breach vs 10 percent without), the study states.

 In addition, a lower percentage of investor-owned (for-profit) hospitals (15 percent with a data breach vs 22 percent without) and other specialty hospitals (6 percent with a data breach vs 12 percent without) had at least one data breach. The researchers found that health IT sophistication, biometric security use, health system membership, hospital region, and area characteristics were not significantly different in terms of data breach percentages.

The researchers note that although hospital investments in technology have been implemented to meet Meaningful Use and other federal requirements, protecting digitized patient data has not been a central focus. The findings of this study point to a need to integrate security measures in areas where patient information is kept in order to reduce the theft risk for both paper files and computers with PHI.

Although there are more group/physician practices within the United States than hospitals, the overall number of individual patients treated, and who thus have data created and stored within the record system, is greater within hospitals, the study authors conclude.

“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs. Accordingly, information security systems should be concurrently implemented alongside health information technologies. Improving access control and prioritizing patient privacy will be important steps in minimizing future breaches,” the study authors state.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


Phishing Attack on Healthcare Provider Impacts 128K Patient Records

November 21, 2018
by Heather Landi, Associate Editor
| Reprints

New York Oncology Hematology, based in Albany, New York, is notifying its patients and employees that an unauthorized user may have gained access to several employee email accounts, and, potentially, accessed employee or patient data as a result of a phishing attack back in April.

The healthcare provider posted a message on its website stating, “NYOH has determined an unauthorized user may have gained access to several employee email accounts through a series of targeted phishing emails. While NYOH and its partners are not aware of any actual access to or attempted misuse of patient or employee information related to this incident, we continue to take steps to protect our patients and employees’ information.”

Media coverage by The Daily Gazette puts the number of employees and patients at 128,400.

According to NYOH, the phishing emails sent were sophisticated in that they appeared as a legitimate email login page, which convinced the NYOH personnel to enter their user names and passwords. “These credentials were then harvested and used by the attackers to gain access to the email accounts, which were typically only accessible for a short period of hours before access was terminated,” officials said.

On April 20, 2018, a phishing incident occurred through which an unauthorized user gained access to 14 employee email accounts –typically only for a few hours at most, the organization said. A second incident occurred between April 21, 2018 and April 27, 2018, when one additional email account became accessible. Immediately upon discovery of the incidents, NYOH’s IT vendor, took steps to reset passwords, shutting down access to these accounts.

NYOH was subsequently notified of the suspected unauthorized access by its IT vendor. NYOH initiated its incident response protocol to determine the scope and severity of the phishing attacks. NYOH hired an outside forensic firm to conduct a review of the content of the accounts.

Following a thorough analysis, on October 1, they determined that one or more of the affected email accounts contained protected health information and other personal information of patients or employees, the organization said.

The organization said the following information may have been contained in the affected email accounts: names, dates of birth, home addresses, email addresses, insurance information, medical information such as test results, diagnostic codes, account numbers, and service dates. In very limited circumstances, the accounts also contained patient and employee Social Security and driver’s license numbers.

“While we are not aware of any access to or attempted misuse of patient or employee information related to this incident, out of an abundance of caution, NYOH mailed letters to all NYOH patients and employees on November 16, 2018. This letter includes directions for enrolling in 12 months (or longer as required by law) of free identity theft and credit monitoring services through Experian,” the organization stated.

Email hack at HealthEquity

HealthEquity, a health savings account provider with headquarters in Utah, reported to the U.S. Department of Health and Human Services (HHS) data breach portal that 165,800 patient records were impacted by an email hacking incident.

According to, HealthEquity notified the California Attorney General’s Office that on October 5, the company’s IT security team identified unauthorized logins to two HealthEquity employees’ email accounts.  

The investigation was unable to conclusively rule out – or rule in – whether the attacker accessed and viewed emails in those accounts that contained personal and/or protected health information, reported.

In a statement to, HealthEquity officials stated, “Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.”

More From Healthcare Informatics


Study: Internal Negligence, Not Hackers, Responsible for Half of Data Breaches

November 20, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

While high-profile data breaches perpetrated by cyber criminals and hackers often make big headlines, a recent study found that more than half of healthcare data breaches are a result of internal issues, not external factors.

With regard to health data breaches, hospitals, doctors’ offices and even insurance companies are oftentimes the culprits, according to researchers from Michigan State University and Johns Hopkins University.

For the study, John (Xuefeng) Jiang, lead author and associate professor of accounting and information systems at MSU’s Eli Broad College of Business, and co-author Ge Bai, associate professor at the John’s Hopkins Carey Business School, dove deeper to identify triggers of the PHI data breaches. They reviewed nearly 1,150 cases between October 2009 and December 2017 that affected more than 164 million patients. The study was published in JAMA Internal Medicine.

The new research follows the joint 2017 study that showed the magnitude of hospital data breaches in the United States. The research revealed nearly 1,800 occurrences of large data breaches in patient information over seven years, with 33 hospitals experiencing more than one substantial breach.

The study found that more than half of the recent personal health information (PHI) data breaches were because of internal issues with medical providers – not because of hackers or external parties.

“There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” Jiang said in a press release about the study.

“Every time a hospital has some sort of a data breach, they need to report it to the Department of Health and Human Services and classify what they believe is the cause,” Jiang said. “These causes fell into six categories: theft, unauthorized access, hacking or an IT incident, loss, improper disposal or ‘other.’”

After reviewing detailed reports, assessing notes and reclassifying cases with specific benchmarks, Jiang and Bai found that 53 percent were the result of internal factors in health care entities.

“One quarter of all the cases were caused by unauthorized access or disclosure – more than twice the amount that were caused by external hackers,” Jiang said. “This could be an employee taking PHI home or forwarding to a personal account or device, accessing data without authorization, or even through email mistakes, like sending to the wrong recipients, copying instead of blind copying or sharing unencrypted content.”

Of the external breaches, theft accounted for 33 percent with hacking credited for just 12 percent.

Mobile devices were involved in 46 percent of cases, while paper records accounted for just 29 percent of breaches, the researchers report in the study. Employees taking data home or forwarding it to personal email accounts contributed to 74 breaches in the study, or about 6.5 percent of cases.

Mailing mistakes accounted for two-thirds of the data breaches involving communication errors by employees, the study also found.

Some data breaches might result in minor consequences, such as obtaining the phone numbers of patients, but others can have much more invasive effects. For example, when Anthem, Inc. suffered a data breach in 2015, 37.5 million records were compromised. Many of the victims were not notified immediately, so weren’t aware of the situation until they went to file their taxes only to discover that a third-party fraudulently filed them with the data they obtained from Anthem, the study authors wrote.

As a result of their research, Jiang and Bai suggest health care providers adopt internal policies and procedures that can tighten processes and prevent internal parties from leaking PHI by following a set of simple protocols. The procedures to mitigate PHI breaches related to storage include transitioning from paper to digital medical records, safe storage, moving to non-mobile policies for patient-protected information and implementing encryption. Procedures related to PHI communication include mandatory verification of mailing recipients, following a “copy vs. blind copy” protocol (bcc vs cc) as well as encryption of content, the study authors said in the press release.

“Not putting on the whole armor opened health care entities to enemy’s attacks,” Bai said. “The good news is that the armor is not hard to put on if simple protocols are followed.”

Next, Jiang and Bai plan to look even more closely at the kind of data that is hacked from external sources to learn what exactly digital thieves hope to steal from patient data.


Related Insights For: Cybersecurity


Cybersecurity, Telehealth and Interoperability “Top of Mind” for IT Execs in 2019

November 19, 2018
by Heather Landi, Associate Editor
| Reprints
Click To View Gallery

As health system leaders look ahead to the challenges and opportunities of the coming year, they are increasing their spending to defend against cyberattacks, expressing optimism about reimbursement for telehealth services, and feeling anxiety about Apple, Amazon and Google entering the health care space, according to a new survey.

The second annual survey, conducted by the Pittsburgh-based Center for Connected Medicine (CCM) in partnership with the Health Management Academy, reflects the opinions of healthcare C-suite leaders from nearly 40 major U.S. health systems across the country about their IT priorities for the year ahead. CCM is a collaborative health care executive briefing center jointly operated by GE Healthcare, Nokia and UPMC. The Alexandra, Va.-based Health Management Academy is a membership organization consisting of executives from the country’s top 100 health systems focused on sharing best practices.

Conducted in three parts, the research started with a survey of health system information officers—CIOs, chief medical informatics officers (CMIOs) and chief nursing informatics officers (CNIOs— in May 2018 to determine the top areas of health IT for 2019. A quantitative survey was conducted in July 2018 with questions focused on cybersecurity, telehealth and interoperability. In September 2018, qualitative interviews were completed with 18 C-suite executives, including chief executive officers, chief operating officers, CIOs and CMIOs.

According to the survey report, “Top of Mind for Top Health Systems 2019,” health system executive leaders identified cybersecurity, telehealth and interoperability as the top three areas of health IT that will have the most impact in 2019. Cybersecurity remained at the top of the list from the previous year’s survey, and telehealth and interoperability climbed the ranking. The previous year’s Top of Mind report had identified cybersecurity, consumer-facing technology, and predictive analytics as the top three areas of focus for 2018.

“While consumerism and analytics remain hot topics in health care, it was not surprising to see telehealth and interoperability rise in the minds of health IT executives for 2019. Policymakers, in particular, have emphasized telehealth and interoperability in the past year, and the threats of cyberattacks and data breaches are constant in health care,” the report authors wrote.

While healthcare executive leaders cited those three topics as immediate, pressing concerns, when asked what health IT technologies they anticipated would have the most impact on health care five years from now, health system executive leaders identified artificial intelligence, consumer technology, and genomics. According to the report, one CNIO said: “The technology is moving so fast that it is hard to predict five years out. I would not have picked some of these for 2019 one year ago.”


Hackers and other cyber-criminals are stepping up their attacks on the health care industry, leading 87 percent of respondents to say they expect to increase spending on cybersecurity in 2019; no health system was expecting to decrease spending. Half of respondents expect a spending increase greater than five percent.

For 2019, health systems said they would invest cybersecurity resources to bolster current areas of investment, with many focusing on both staff and technology, such as firewalls, intruder detection software, and dual authentication that guard against breach of protected health information (PHI).

Despite increasing financial investment and prioritization of cybersecurity at health systems, executives did not express robust confidence in their organization’s IT recovery and business continuity plans after an attack or breach. Seven out of 10 respondents reported being “somewhat confident” in their recovery and continuity plans; only 20 percent said they were “very confident.”

The most commonly cited challenge in cybersecurity was employee education—62 percent of respondents named “staff” as greatest point of cybersecurity weakness. What’s more, phishing and spear-phishing were cited as the most common types of cyberattacks in the previous 12 months.

According to the report, one CEO commented during an interview: “The people that are up to no good have far better tools than we do on our platforms. If they really target you, they will likely find a way in.… We are not trying to make it impenetrable, but we are trying to make it more difficult to break into our system than others in our market.”


Health information technology (IT) leaders overwhelmingly expect government and commercial reimbursement to provide the majority of funding for telehealth services by 2022; internal funding and patient payments are expected to provide the majority of funding for telehealth in 2019.

Government policy is driving some of this optimism, the report authors wrote. “For example, CMS [The Centers for Medicare & Medicaid Services] published a proposal in July 2018 that provided three new remote patient monitoring reimbursement medical codes. While some critics have said the proposal’s $14 reimbursement for virtual check-ins is too low, the move by CMS appears to cement telehealth reimbursement as a priority for the agency.”

All responding health systems report telehealth accounts for 10 percent or less of their organization’s total care delivery, however, over the next three years, 45 percent of respondents expect use of telehealth to increase by 10 percent or more. Lack of reimbursement was cited as the most significant barrier to adopting greater telehealth services, cited by 70 percent of respondents.

Most health system executives interviewed for the study said their health system had not yet calculated a specific return on investment (ROI) for telehealth. But systems are investing anyway as a hedge that future reimbursement will outweigh the potential losses of today, according to the survey report. “For the moment, reimbursement is widely thought of in terms of physician time, but as technologies evolve, the question will be whether reimbursement will expand to hardware. Investment can also be seen as a bellwether for provider sentiment toward transformation to value-based care,” the report authors wrote.

When considering a telehealth technology system, top features/priorities are “integration with the clinical workflow” and “ease of patient triage and virtual follow-up,” according to the survey.

Need for Innovation Drives Focus on Interoperability

Interoperability has emerged as a key challenge in health care as hospitals and health systems pursue value-based care, consumerism, and other initiatives that require broad sets of data from disparate IT systems, the report noted. As the health care industry continues to evolve, provider health systems are having to think more creatively about their strategies in order to remain successful.

A lack of interoperability has made it more difficult for health systems to address certain key priorities, most commonly improved efficiency / cost reduction, and advanced analytics, the report said. Additionally, executives report challenges addressing care gap closure, longitudinal patient data, and integration with non-owned partners

More than half of respondents (61 percent) said the use of a major electronic health record (EHR) system was not stifling digital innovation at their health system. However, in qualitative interviews, several executives said an EHR was limiting their ability to innovate by locking them into a single vendor’s products, according to the report.

Seventy percent of informatics executive said they were “somewhat concerned” about big tech companies, such as Apple, Amazon and Google, disrupting the health care market; 10 percent were “very concerned,” the survey found.

The report quotes one CEO who said: “They are new competitors that look very different from traditional health care competitors. They are better in their space and can catch up quickly. Current stakeholders are resistant to change. If we’re slow and dodgy we’re going to get lapped.”

The survey also examined the role of the cloud in the future of health IT. The majority of health care data is expected to be stored in on-premises data centers (20 percent) or hybrid / private cloud (60 percent) in the next three years, according to the survey, and 10 percent said they anticipate storing health data in a public cloud.


See more on Cybersecurity

betebettipobetngsbahis bahis siteleringsbahis