Tuesday, December 22, 2015 Study: Health Information Data Breaches Hit Nearly Every Industry Between 2004 and 2014 Data breaches of protected health information (PHI) aren't just a challenge for health care providers: according to a new report, it's a problem that has been experienced in 90% of all industries, from agriculture to entertainment. And those compromises could be changing patient behavior. In its recently released PHI Data Breach Report (.pdf), researchers for Verizon analyzed reported PHI data breach incidents in 25 countries from 1994 to 2014. Unlike other analyses that searched for records of breaches filed under "health care" in the North American Industry Classification System, the Verizon report expanded its review to include not only the health care industry, but any breach in any industry in which the data type lost was listed as "medical records," or the data subject (victim) of the breach was listed as "patient." The widened search yielded 1,972 breaches that affected 392 million records, most occurring between 2004 and 2014. The health care industry was the leader in terms of number of breaches, but nearly every other industry experienced breaches that involved PHIs. According to the study's authors, the widespread nature of the problem isn't all that surprising. "How many companies have employees?" authors write. "How many of these employees are involved in workers' compensation claims? These are likely to include health information, so that is one source where we'd expect to see this type of data collected." Other sources for PHI include wellness programs, the management of health insurance programs, and for some businesses such as insurance companies, the collection of PHI from customers. "The fact that an organization is not in the health care industry or isn't a HIPAA-covered entity doesn't mean that it's not at risk of a PHI data breach," authors write. The study found that most of the breaches were caused by "external actors" accessing PHIs (903 of the 1,972 breaches), but that internal actions weren't far behind (791). The difference: many of the internal breaches were likely accidents, with no malicious intent. Researchers believe that for the PHI breaches that were tied to actual theft, the perpetrators weren't as interested in the medical information as they were in accessing data that often accompanies this information—payment information, personal identity information, and credentials that can allow further access to other data. Authors of the study fear that regardless of the motivation for the breaches, the prevalence of the problem is having an effect on the relationship between the health care provider and the health care consumer. As public awareness of the breach issue increases, so does a patient's fear of providing information to a health care provider in the first place. "As reports of medical record losses continue to pile up, the trust between medical providers and their patients is being eroded," authors write. "The implications of this may be wider than practitioners anticipate." Want to learn more about protecting PHI? Check out the "Compliance Matters" column in the August issue of PT in Motion magazine for more on safeguarding patient information, as well as a link to a federal government resource on HIPAA rules around privacy, security, and breach notification.