According to the analysis of John Hopkins University Carey School of Business, more data breaches occur in large healthcare providers compared to small healthcare providers. The study data came from the breach reports that healthcare providers submitted to the Department of Health and Human Services’ Office for Civil Rights. OCR published all breaches that impacted more than 500 people.
The journal JAMA Internal Medicine published the results of the breach reports study led by Ge Bai, PhD. Based on the study, from 2009 to 2016, 216 hospitals reported a data breach with 15% of hospitals reported more than one breach. In addition, teaching hospitals and smaller hospitals are more likely the target of hackers.
Countering the accuracy of the data breach statistics is a team of doctors from Vanderbilt University in Nashville led by Daniel Fabbri, PhD. The team pointed out the following major potential errors regarding the data breach report:
- There was an inherent error in data collection and reporting. The reported breaches only included those that affected at least 500 people. Smaller breaches were not reported. In addition, it’s highly likely that larger hospitals reported data breaches because they have more patients – more than the 500-patient threshold for breach reporting.
- Larger hospitals have more money to procure better technology, which is why they are able to detect and report breaches. Also, smaller hospitals may have data breaches that take a long time to become detected especially the insider breaches because of lack of resources for doing internal audits.
- Just because HIPAA laws require a data breach report doesn’t mean that all healthcare organizations comply.
Bai responded by agreeing to the issues raised especially regarding the 500-individual threshold for reporting breaches. Nevertheless, larger hospitals, including teaching hospitals, handle more PHI and therefore are preferred targets by cyber criminals compared to smaller hospitals. Still, that doesn’t mean that smaller organizations are not targeted. The hacking group called DarkOverload is known for attacking smaller healthcare organizations because of their vulnerability due to lack of resources for cybersecurity.
Clearly, it’s not easy to get meaningful healthcare data breach statistics just based on the available healthcare industry data.