AJMC Study Finds Common Characteristics of Hospital Data Breaches

The study by the American Journal of Managed Care found teaching hospitals and pediatric hospitals are the most susceptible to data breaches.

AJMC Study Finds Common Characteristics of Hospital Data Breaches

Between 2009 and 2016, there were 216 reported data breaches by 185 non-federal acute care hospitals

A recently published study by the American Journal of Managed Care reveals common characteristics found in hospitals where data breaches occurred.

The Department of Health and Human Services’ Office for Civil Rights breach data from healthcare providers regarding breaches that affected 500 or more individuals from 2009 to 2016 were linked with hospital characteristics from the Health Information Management Systems Society and the American Hospital Association Health IT Supplement databases, according to the study.

The study revealed hospitals are the most commonly breached type of healthcare provider, accounting for approximately 30 percent of all large healthcare security incidents reported to the Department of Health.

Over the seven-year time period, there were 216 data breaches reported by 185 non-federal acute care hospitals. Thirty hospitals experienced multiple breaches of 500 or more healthcare records. One hospital experienced two breaches, five hospitals experienced three breaches and 24 hospitals experienced two breaches, reports the HIPAA Journal.

In addition to hospitals experiencing the highest percentage of security breaches, those breaches also resulted in the exposure of the highest number of health records.

The study also found the most common locations of breached data were paper and film, occurring in 65 hospitals during the seven-year period.

While there has been a significant increase in malware and ransomware attacks as of late, network servers were the least common location for breaches between 2009 and 2016. While the least common, those breaches resulted in the highest number of stolen medical records.

The second most common location of breaches was data stored in locations other than paper, film, laptops, email, desktops, WHRs or network servers, accounting for 56 hospital breaches. The third most common was laptop breaches, which were reported by 51 hospitals.

What Types of Hospitals Experienced the Most Data Breaches?

The most susceptible to data breaches were teaching hospitals and pediatric hospitals. Eighteen percent of teaching hospitals experienced at least one data breach while six percent of pediatric hospitals also experienced a breach.

Larger hospitals (more than 400 beds) were found to be more prone to data breaches with 26 percent experiencing a breach. Investor-owned hospitals also experienced fewer breaches than not-for-profit hospitals. The threats to healthcare systems have also shifted from hackers interested in selling data to threatening to shut down systems unless paid a ransom.

The study did not find any significant difference based on the level of IT sophistication, biometric security use, health system membership, hospital region or area characteristics.

The authors noted that hospitals were spending large amounts during the seven-year timeframe upgrading their information technology systems to meet electronic health record requirements, with less spent on data security.

The researchers suggest the amount of money spent on security needs to increase if hospital data breaches are to be prevented. Security measures also need to be improved for paper and films to reduce the opportunity to access data and hospitals should conduct regular audits to determine who is accessing persona health information.

The study also suggests access to PHI should be limited to the minimum necessary amount to allow employees to complete their work duties.

“Routine audits required by cyber-insurance coverage may help healthcare facilities recognize, and repair, their vulnerabilities before a breach occurs,” the authors conclude.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Amy is Campus Safety’s Executive Editor. Prior to joining the editorial team in 2017, she worked in both events and digital marketing.

Amy has many close relatives and friends who are teachers, motivating her to learn and share as much as she can about campus security. She has a minor in education and has worked with children in several capacities, further deepening her passion for keeping students safe.

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety Conference promo