Electronic health records were supposed to make life better for patients and doctors -- getting rid of bulky and messy paper files, streamlining delivery of care and organizing medical information so that scientists can use it to make discoveries.
But those benefits could be for naught if digital medical data aren't safe -- and they don't appear to be. A new analysis of government records, published Tuesday in the journal JAMA, found that close to a thousand large data breaches affected 29 million medical records between 2010 and 2013.
Nearly 60% were the result of theft, reported study coauthors Dr. Vincent Liu, of the
To conduct their research, the team mined an online database of health data breaches maintained by the U.S. Department of Health and Human Services. They focused on data breaches affecting 500 or more people -- 949 in all, which made up 82.1% of the reports in the database in the years studied.
Total numbers of breaches reported per year increased over the period, from 214 in 2010 to 265 in 2013. Six breaches affected at least a million records apiece. And more than a third of the breaches occurred in five states -- California, Texas, Florida, New York and Illinois.
Overall, 29.1 million records were affected. Some patients may have been involved in more than one breach, the researchers said, making the total number of people affected somewhat lower.
More than two-thirds of the breaches were made electronically, including via laptops, tablets and other portable electronic devices. In nearly one-third of cases, the breaches happened when health insurance companies contracted their data management to outside firms.
"The personal information of patients in the United States is not safe, and it needs to be," wrote Dr. David Blumenthal of the Commonwealth Fund and attorney Deven McGraw of the law firm Manatt Phelps & Phillips in an editorial that accompanied the JAMA study. "Even if only 15 million or 5 million patients had their data breached, it is too many."
Blumenthal and McGraw wrote that concerns about data security could lead patients to resist sharing data online, affecting medical quality and crippling research. They suggested that healthcare providers needed to do more to practice "good data hygiene": encrypting data and preventing employees from storing medical information on personal electronic devices.
They also called on policymakers to make changes to the "antiquated and inadequate" Health Insurance Portability and Accountability Act. That law does not regulate online entities like Google or Facebook, which collect health data "intentionally or not ... and could become major custodians of [health] data in the future," they wrote.