Compromised information included patients’ names, home addresses, ages, illnesses, test results or Social Security numbers. Most involved electronic data and theft, including stolen laptops and computer thumb drives.
The study didn’t examine motives behind criminal breaches, or how stolen data might have been used, but cyber-security experts say thieves may try to use patients’ personal information to fraudulently obtain medical services.
Cases that didn’t involve malicious intent included private health information being inadvertently mailed to the wrong patient.
Hackings doubled during the study, from almost 5 percent of incidents in 2010 to almost 9 percent in 2013. Hackings are particularly dangerous because they can involve a high number of records, said Dr. Vincent Liu, the author and a scientist at Kaiser Permanente’s research division in Oakland, California.
“Our study demonstrates that data breaches have been and will continue to be a persistent threat to patients, clinicians, and health care systems,” Liu said.
The study appears in Tuesday’s Journal of the American Medical Association.
A JAMA editorial says there’s evidence that the incidents are leading some patients to avoid giving doctors sensitive information about their health, including substance abuse, mental health problems, and HIV status.
“Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States,” the editorial said.
Patients should be alert to cyber threats, including “phishing” emails from hackers posing as doctors, hospitals or health insurance companies, said Lisa Gallagher, a cybersecurity expert at the Healthcare Information and Management Systems Society.
Those messages require clicking on a link to get information, and patients should instead should call the purported sender to verify whether the email is legitimate, she said
Patients should also double check doctor bills and other insurance company information.
“Don’t throw away your explanation of benefits. Take a look at them,” Gallagher said. “If you see care that wasn’t provided to you, or dates and names of providers that don’t make sense, go to the provider and report that.”
For the study, Liu and colleagues analyzed an online database regulated by the U.S. Department of Health and Human Services and containing mandated reports of breaches in health information protected by federal privacy law.
Over the four years, 949 data breaches were reported across the country. The numbers climbed annually, from 214 in 2010 to 265 in 2013. Nearly 60 percent involved theft.
Prominent cyberattacks affecting two health insurance giants happened after the study. Last May, a data breach hit Premera Blue Cross, affecting about 11 million customers and others. And between last December and late January, hackers accessed an Anthem Inc. database with information on nearly 80 million people.
Authorities believe hackers in China may be behind both attacks, Gallagher said.
She said cybersecurity is among key topics at her nonprofit group’s annual meeting this week in Chicago. Members include doctors, hospitals, health plans and sellers of electronic health record products.