MGH Study Highlights How Breaches Have Changed

A Massachusetts General Hospital study confirms how dramatically in 8 short years the landscape of HIPAA reportable breaches has changed.

As noted by Donovan (2018, September 26) “In 2010, the most common type of healthcare data breach was theft of physical records, but by 2017 hacking or other IT incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. The most common type of breached media in 2010 was from laptop computers followed by paper and film records, while by 2017 network servers or emails accounted for the largest number of breaches. Overall, the greatest number of patient records were breached from network servers, the study found.”

Several factors account for the shift in breach characteristics. The great gold rush of Meaningful Use incentive eligible EHR implementations really didn’t hit it’s stride until 2012-2014. According to, by 2016 98% of eligible hospitals had adopted certified EHR technology. Sometimes systems were implemented before organizations fully understood all the HIPAA/HITECH security suppport needed to stay in compliance and frankly, HIPAA Privacy Officers were by and large caught unawares of the shift they would need to make in their focus and response to breach threats. Lastly, there is an element of paying attention to something causing an increase in reports. In recent years, the Office of Civil Rights (OCR) has penalized covered entities for delays in discovery and reporting of breaches. The result of this high profile activity is an increase in timely reports by entities that are more risk averse.