71 Percent of Health Care Companies Suffer Data Breaches in Past Year: Report

Nearly three-quarters of health care firms reported data breaches in the last year, with snooping staffers mostly to blame, according to a survey by data analytics vendor Veriphyr.

A new study by Veriphyr, a software-as-a-service data analytics application provider, found that 71 percent of health care organizations have suffered at least one data breach within the past year.

Veriphyr offers data-analytics software that allows medical practices to view logs showing who has accessed patients' medical records.

Insider peeks were responsible for most of the breaches, the company reports. Of the breaches reported in the survey, 35 percent involved snooping into medical records of co-workers, and 27 percent involved viewing records of friends and relatives.

Of the 90 health care IT managers Veriphyr surveyed in its Web-based poll, 52 percent believed their health care facility lacked adequate tools to monitor inappropriate access to personal health information. Veriphyr released its report, entitled "Veriphyr's 2011 Survey of Patient Privacy Breaches," on Aug. 31. It includes results of its survey of compliance and privacy officers at mid- to large-size hospitals and health care service providers.

Under HIPAA rules, hospitals must have at least one compliance officer, or privacy officer, to monitor proper access to records.

Of the incidents reported, 25 percent involved loss or theft of physician records and 20 percent were loss or theft of equipment holding personal health data.

The study found that 79 percent were "somewhat concerned" or "very concerned" that existing processes do not enable prompt detection of health data breaches. Still, 80 percent of those surveyed believed that top management would act on their recommendations to comply with security requirements and 74 percent were satisfied with their organization's level of IT compliance and security.

Meanwhile, 52 percent of respondents were dissatisfied with their organization's IT tools to track inappropriate access to sensitive personal health information. The more data breaches respondents reported, the more they were dissatisfied with their company's IT tools.

The results of the survey show that a narrow line exists between what is a medical necessity to access the information and what is simply snooping out of curiosity.

"The issue in health care is that information about you in the hospital needs to be available to anyone who will give you care," Alan Norquist, Veriphyr's CEO, told eWEEK. "Access to health care information is available broadly."

Physician office staff may be recruited by criminals to access information or may seek information about movie stars or former spouses, Norquist said.

Without an actual person guarding a room of paper records, electronic data may be more challenging to monitor, Norquist suggested. "In the old paper days, it would have been flagged by the person in the health records room," he said.

Data breaches have affected more than 10 million patients since 2009, according to the Office for Civil Rights in the U.S. Department of Health and Human Services. Recent incidents have included lost hardware such as thumb drives or laptops containing personal health information.

At Henry Ford Health System in Detroit, a lost flash drive affected 2,777 patients. In a similar case at the nonprofit Family Planning Council in Philadelphia, a flash drive stolen in December 2010 stored data on 70,000 patients.