Market Overview

Study in The American Journal of Managed Care® Takes a Closer Look at What Types of Hospitals Have Data Breaches


As major healthcare cyberattacks grab headlines, researchers report
the common characteristics of US hospitals that experience these
attacks. A more common but less visible problem is poor disposal of
paper records and films, this study finds.

An estimated 16 million patient records were stolen in the United States
in 2016, and last summer the British Health System was crippled by a
ransomware attack. While we know these events are on the rise, what do
we know about the hospitals that are vulnerable to these attacks?

A study
in the new issue of The American Journal of Managed Care® took on
this question, and found that while the network attacks in the headlines
do affect millions of people, a more mundane problem—improper disposal
or theft of paper records and patient films—happens more often, though
fewer people are affected in each case.

Researchers led by Meghan Hufstader Gabriel, PhD, an assistant professor
in the College of Health and Public Affairs at the University of Central
Florida, uncovered these findings by systematically reviewing records
from the Office of Civil Rights (OCR) in the US Department of Health and
Human Services.

Gabriel, a former economist at the Office of the National Coordinator
for Health Information Technology, and fellow researchers examined the
data collected between October 2009 and July 2016. They studied
nonfederal acute care hospitals.

While OCR tracks breaches affecting more than 500 people—and fines
health systems over violations—it took Gabriel's team to pore over the
records and describe what kinds of hospitals are more (or less) likely
to experience a breach.

Laptops emerged as a major source of data loss during the study period,
far outstripping electronic health records (EHRs) in terms of numbers of
breaches. There were 51 incidents of lost or stolen laptops affecting
380,699 people. By comparison, there were 19 EHR breaches affecting
44,805 people.

Network server breaches rarely occur, but when they do the effects are
vast: 10 breaches in the study period affected 4.6 million people.

Among other findings:

  • During the 7-year study period, 215 breaches affecting 500 or more
    people took place in 185 nonfederal acute care hospitals; 30 hospitals
    had more than one breach, and one hospital had four breaches.
  • Teaching hospitals and pediatric hospitals were more likely to
    experience breaches.
  • Larger hospitals (more than 400 beds) were more likely to have
    breaches than small (less than 100 beds) or medium hospitals (100 to
    399 beds).
  • Investor-owned hospitals (for-profit) were less likely to have a data

The authors noted that hospitals were spending large amounts during
2009-2016 upgrading their information technology systems to meet EHR
requirements, with less spent on security. The authors noted the
shifting threats to healthcare systems—hackers are no longer interested
in selling data, but threaten to shut down systems unless they are paid
a ransom.

"Routine audits required by cyber-insurance coverage may help healthcare
facilities recognize, and repair, their vulnerabilities before a breach
occurs," the authors conclude.

About The American Journal of Managed Care®:

The American Journal of Managed Care® (AJMC®)
is a peer-reviewed, MEDLINE-indexed journal that keeps readers on the
forefront of health policy by publishing research relevant to industry
decision makers as they work to promote the efficient delivery of
high-quality care. is the essential website for managed care
professionals, distributing industry updates daily to leading
stakeholders. Other titles in the AJMC® family
include The American Journal of Accountable Care®,
and two evidence-based series, Evidence-Based Oncology™ and Evidence-Based
Diabetes Management
™. These comprehensive offerings bring together
stakeholder views from payers, providers, policymakers and other
industry leaders in managed care. To order reprints of articles
appearing in AJMC® publications, please contact
Jeff Prescott at 609-716-7777, ext. 331.

View Comments and Join the Discussion!