Fact sheet 02-2017

A significant increase in the risk of exposure of health information in the United States

Background

Risk is a measure that combines the probability and impact of an undesired event. In risk analysis, risk is estimated by computing the product of the probability that the event will occur and the consequence of the event: risk (x) = probability (x) • consequence (x). In risk analysis, consequence and probability are normally divided into specific categories, which provides the basis for graduation of risk levels. Estimates of risk levels then form the basis for the evaluation of measures to reduce risk.

In the United States, breaches of privacy in the health sector, which are regulated by the Health Insurance Portability and Accountability Act (HIPAA)(1), are reported to the U.S. Department of Health and Human Services, Office for Civil Rights. Events that represent a breach of this Act, and that involve more than 500 persons, are published in a breach registry in the Department’s Breach Portal (2).

In the Norwegian Centre for E-health Research, the contents of the breach registry have been analysed in order to survey the probability and consequence of the extensive breaches of information security in the US health sector.

Findings

According to the registry, all attacks on healthrelated information may be roughly divided into three categories: 1) hacking and unauthorised use, 2) loss and theft, and 3) improper use.

According to data reported to the registry between 1 January 2010 and 31 December 2016, health information for 171,074,016 persons was exposed. Although some may have had their health information exposed more than once or had health information in several health care institutions (3), this means that approximately 54% of the United States population of 318.9 million have had their medical information exposed. This includes 135,775,362 persons who have been affected by hacking or unauthorised use of health-related information, and 31,908,209 persons affected by theft or loss of health information during this period. On average, health information for 19,396,480 persons has been affected by hacking or unauthorised use annually, whereas 4,558,316 persons were affected by theft or loss of health information. This means that in the period from 2010 until the end of 2016, the probability of being affected by cyber theft was 4.26 times larger compared to physical theft.

The number of events in the category hacking/unauthorised use increased from 16 cases in 2010 to 240 in 2016. During the same period, the number of cases of theft/loss decreased from 154 to 78. As the frequency graph below shows, the average number of breaches per day in the United States in 2016 was 0.83. This means that on average a breach of privacy regulations occurred more often than every second day.

The graph to the right shows the shares of theft/loss and hacking/unauthorised use of health information as a percentage of all attacks on health-related information annually in the period 2010-2016. There is a steadily increasing trend for hacking and unauthorised use, and a decreasing trend for theft/loss. In 2016, for instance, 10 times as many persons were involved in hacking/unauthorised use of health information compared to theft/loss.

Summary

The review of the United States breach registry shows that the probability of breaches is increasing, and is close to becoming a daily event. The extent or consequence of breaches also shows an increasing trend. In sum, this means that the risk of breaches to the privacy legislation for health information in the United States is very high and increasing significantly. In a Norwegian setting, such a risk would require measures to reduce both the probability and consequence of breaches. The extent of breaches of privacy legislation causes concern among health professionals that patients will withhold information from health workers, and thereby undermine opportunities to improve their health and health services(4).

References

1. 45 CFR Parts 160 and 164. https://www.hhs.gov/hipaa/for-...
2. U.S. Department of Health and Human Services Office for Civil Rights. Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information https://ocrportal.hhs.gov/ocr/...
3. Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 14. april 2015;313(14):1471.
4. Blumenthal D, McGraw D. Keeping personal health information safe: the importance of good data hygiene. JAMA. 14. april 2015;313(14):1424.