The Washington PostDemocracy Dies in Darkness

Health care data breaches have hit 30M patients and counting

Health care has a data breach problem. (AP Photo/Damian Dovarganes, File)

Welcome to Health Reform Watch, Jason Millman's regular look at how the Affordable Care Act is changing the American health-care system — and being changed by it. You can reach Jason with questions, comments and suggestions here. Check back every Tuesday and Thursday afternoon for the latest edition, or sign up here to receive it straight from your inbox. Read previous columns here.

The recent theft of 4.5 million medical records by Chinese hackers highlights one undeniable truth about health care data: it's valuable, and bad people want it. In this latest incident, hackers reportedly stole personal data from Community Health Systems patients, including their Social Security numbers, which is an especially coveted piece of information if you want to steal someone's identity. But it appears that patients' medical data and credit card numbers were not stolen in this case.

Thanks to some tougher federal reporting requirements for health-care data breaches in recent years, we have a better sense of when patient information goes missing or might have been inappropriately accessed by someone. Tougher breach notification requirements were tied to a provision in the 2009 stimulus act that included billions of dollars in incentives to encourage electronic health record adoption, in part to allay fears that health care's digital transformation put our health records at greater risk.

The numbers aren't pretty. Since federal reporting requirements kicked in, the U.S. Department of Health and Human Services' database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30.1 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access accounts (1.9 million people), according to a Washington Post analysis of HHS data. These numbers don't include the Community Health Systems data breach.

There are also many more incidents of smaller-scale breaches. In 2012, for example, HHS received 21,194 reports of smaller breaches affecting 165,135 people, according to the department's most recent report to Congress. Similar numbers were reported in 2011. In all, data breaches cost the industry $5.6 billion each year, estimates the Ponemon Institute, a security firm.

Health care data has seemingly become increasingly targeted, accounting for 43 percent of major data breaches reported in 2013, according to the Identity Theft Resource Center. That's the first time the health care sector topped the group's annual list, and it's on the same pace for 2014, according to the nonprofit group. The ITRC says the recent jump in health care breaches could be the result of tougher reporting requirements.

"It is more difficult, perhaps, for that industry to brush something under the rug and want to chance not disclosing it because the ramifications for being found out are pretty significant," said ITRC chief executive Eva Velasquez. "There's just a lot of regulation in place there."

A data breach doesn't necessarily mean a patient is at risk of identity theft — a reportable breach could occur when someone loses a laptop with patient data, or some patient records are tossed in a dumpster. However, a 2013 report from the Javelin security firm found that about 25 percent of people who received data breach notices of any kind (not just health care) eventually became victims of identity theft.

There's still concern, though, about the health-care industry's ability to prevent and respond to data breaches. About 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place, up from 62 percent in 2012. Another 27 percent said they were still developing a strategy, according to the Healthcare Information and Management Systems Society survey, which also found health care's security environment had "an average level of maturity."

"Despite the advances healthcare organizations have made in their security environment, there is still room for improvement," the report concluded.

Top health policy reads from around the Web:

Administration won't reveal security records. "After promising not to withhold government information over 'speculative or abstract fears,' the Obama administration has concluded it will not publicly disclose federal records that could shed light on the security of the government's health care website because doing so could 'potentially' allow hackers to break in. The Centers for Medicare and Medicaid Services denied a request by The Associated Press under the Freedom of Information Act for documents about the kinds of security software and computer systems behind the federally funded In denying access to the documents, including what's known as a site security plan, Medicare told the AP that disclosing them could violate health-privacy laws because it might give hackers enough information to break into the service." Jack Gillum for the AP.

Obamacare shrinking as a campaign issue. "Republicans seeking to unseat the U.S. Senate incumbent in North Carolina have cut in half the portion of their top issue ads citing Obamacare, a sign that the party’s favorite attack against Democrats is losing its punch. The shift — also taking place in competitive states such as Arkansas and Louisiana — shows Republicans are easing off their strategy of criticizing Democrats over the Affordable Care Act now that many Americans are benefiting from the law and the measure is unlikely to be repealed. ... Republican pollster Whit Ayres, who has advised U.S. Senate candidates including Marco Rubio of Florida, said the party is pausing to reframe the ads by tying Obamacare to the economy and jobs, the top concerns for most Americans." Heidi Przybyla for Bloomberg.

A giant health care fight takes shape in Pittsburgh. "Pittsburgh's dominant health insurance company and its largest healthcare provider are, essentially, getting a divorce. For decades, and worked together. But as the line between insurance companies and health care providers across the country blurs, these longtime allies are venturing into each other's business and becoming competitors." Jeff Brady for NPR.