By Dennis Thompson
TUESDAY, Sept. 25, 2018 (HealthDay News) -- Hackers are targeting medical record data more than ever, and their most rewarding prey appears to be health insurance companies, a new study suggests.
Data breaches involving health plans accounted for 63 percent of all breached records that occurred between 2010 and 2017, said lead researcher Dr. Thomas McCoy Jr. He is director of research at Massachusetts General Hospital's Center for Quantitative Health in Boston.
"A small number of breaches account for the majority of [patient] records breached," McCoy said. "The majority of the breaches are of health care providers, whereas the majority of the records breached are from health plans."
About 70 percent of all breaches occurred with health care providers, compared with only 13 percent of breaches taking place at health insurance companies, the study findings showed.
But more records are exposed through breaches with health insurers -- about 110 million (63 percent) in 2017, compared with 37 million (21 percent) breached through health care providers that same year.
Insurance providers "work around the clock to ensure their data is secure, and to protect its members' information from bad actors who look for ways to break through their defenses," said Cathryn Donaldson, director of communications for America's Health Insurance Plans, a trade association for health insurers.
"They also regularly submit in-depth reports on any sort of company breach or potential for breach to ensure transparency, and immediately work to protect patient information," Donaldson continued. "Our members are committed to defending patients' security and privacy."
All health care entities must report any breaches of medical data to the federal government. McCoy and his colleagues reviewed records related to those breaches.
The total number of breaches have increased nearly every year, rising from 199 in 2010 to 344 in 2017.
But data hacking and information technology breaches now account for most confidentiality breaches of medical data, with 132 million records breached this way in 2017, the researchers reported.
In the past, theft of records stored on paper, laptop or electronic media had been the most common type of breach.
The risk from theft pales in comparison with hacking these days, however. More records were obtained via theft in 2017 than in any year prior, but even then only 25 million records were breached in this fashion.
The most common type of breached media in 2010 was from laptop computers, followed by paper and film records, but by 2017 network servers or emails accounted for the largest number of breaches.
Looking at overall trends, back in 2010 the most common breach involved theft of a laptop containing medical records, McCoy said.
By 2017, the most common breach involved hacking into a network server.
These results demonstrate the need for all health care entities to create strong digital security that will protect medical records, McCoy said.
"Our patients have an expectation of confidentiality, and when a breach occurs that's a failure to meet that expectation," McCoy said.
McCoy couldn't say what the records are used for, since the intentions of the hackers are usually unknown to their victims.
Donaldson added that insurance companies are dedicated to protecting patient data.
"They invest in the latest best practices to keep the bad actors out of our systems," Donaldson said. "They comply with strict federal and state requirements on data security, which protect individual member information, and they keep pace as these requirements continue to evolve. When they see evidence of attempted criminal activity, they work closely with law enforcement to eliminate the risk."
The findings were published as a research letter in the Sept. 25 issue of the Journal of the American Medical Association.