Health Care Data Breaches Have Hit 30M Patients And Counting

Jason Millman | The Washington Post | August 19, 2014

Welcome to Health Reform Watch, Jason Millman's regular look at how the Affordable Care Act is changing the American health-care system — and being changed by it...

The recent theft of 4.5 million medical records by Chinese hackers highlights one undeniable truth about health care data: it's valuable, and bad people want it. In this latest incident, hackers reportedly stole personal data from Community Health Systems patients, including their Social Security numbers, which is an especially coveted piece of information if you want to steal someone's identity. But it appears that patients' medical data and credit card numbers were not stolen in this case.

Thanks to some tougher federal reporting requirements for health-care data breaches in recent years, we have a better sense of when patient information goes missing or might have been inappropriately accessed by someone. Tougher breach notification requirements were tied to a provision in the 2009 stimulus act that included billions of dollars in incentives to encourage electronic health record adoption, in part to allay fears that health care's digital transformation put our health records at greater risk.

The numbers aren't pretty. Since federal reporting requirements kicked in, the U.S. Department of Health and Human Services' database of major breach reports (those affecting 500 people or more) has tracked 944 incidents affecting personal information from about 30.1 million people. A majority of those records are tied to theft (17.4 million people), followed by data loss (7.2 million people), hacking (3.6 million) and unauthorized access accounts (1.9 million people), according to a Washington Post analysis of HHS data. These numbers don't include the Community Health Systems data breach...