Health plans accounted for the greatest number of patient records breached over the past seven years, according to an analysis of U.S. health care data conducted by two Massachusetts General Hospital (MGH) physicians. Their report, published in JAMA, examined changes in data breaches during a period when electronic health records were being widely adopted across the country. While the largest number of data breaches took place at heath care providers — hospitals, physician offices, and similar entities — breaches involving the greatest number of patient records took place at health plans.

Lead author Thomas McCoy, MD, director of research at the MGH Center for Quantitative Health, says, “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure.”

McCoy and senior author Roy Perlis, MD, MSc, director of the Center for Quantitative Health, analyzed all data breaches reported to the Office of Civil Rights of the U.S. Department of Health and Human Services from January 1, 2010, to December 31, 2017. They examined trends in the numbers and types of breaches reported in three categories: those taking place at health care providers, at health plans and at business associates — entities that do not provide or reimburse for health services but have legitimate access to patient data in support of plans or providers.

Their analysis covered 2,149 reported breaches involving a total of 176.4 million patient records, with individual breaches ranging from 500 to almost 79 million patient records. Over the seven-year period, the total number of breaches increased every year (except in 2015) from 199 in 2010 to 344 in 2017. While 70 percent of all breaches took place at health care providers, breaches involving health plans accounted for 63 percent of all breached records.

The most common type of breach in 2010 was theft of physical records, but by 2017 data hacking or other information technology incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. Similarly, the most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers.

“While the total of 510 breaches of paper and film records impacted about 3.4 million patient records, the 410 breaches of network servers impacted nearly 140 million records; and the three largest breaches together accounted for a bit more than half of all records breached,” says McCoy. “As we work to make breaches less common and less consequential, we need to better understand systemic risk factors for data breach and the harms that arise from data disclosure.”

Perlis adds, “For me, the message is that working with big data carries big responsibility. This is an area where health plans, health systems, clinicians and patients need to work together. We hear a lot about the huge opportunity to improve how we care for patients – but there is also risk, which we need to manage responsibly.”