Causes of Healthcare Data Breaches

Bryan Cave Leighton Paisner

Pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), covered entities (e.g. healthcare providers and health plans) must notify the Department of Health and Human Services (“HHS”) of breaches of unsecured protected health information (“PHI”).1 The information provided to HHS provides companies with a high level of insight concerning the types of breaches that occur in the healthcare industry.

The data collected by HHS concerning breaches affecting 500 or more individuals in 2015 shows that unauthorized access or disclosure, such as misdirected mailings, break-ins of physical premises, and employees accessing PHI that is not necessary for their duties, is the most common form of data breach in the health sector – surpassing theft of hardware, which was the leading cause for health data breach in 2014. The unauthorized access mostly occurred on paper records. While hacking events tend to be publicized in media, it ranks only third in leading causes for health data breaches.


The percentage of reported breaches caused by unauthorized access or disclosure.2


The percentage of unauthorized access or disclosure caused by paper records.3


The percentage of reported breaches caused by theft of hardware of all types.4


The percentage of reported breaches caused by hacking/IT incidents.5

Things to consider when reviewing your information security program in light of HHS data:

  1. Implement different access levels for employees’ access to PHI based on their job duties;
  2. Immediately stop access to PHI by terminated employees and escort them if necessary;
  3. Require a two-step verification process to ensure that mail and email recipients’ information is correct before sending invoices or appointment reminders;
  4. Transition from paper records to secure, encrypted computer databases;
  5. Shred paper records when no longer needed;

Prevent break-ins by implementing physical safeguards such as security alarms, security guards, and locks on windows and doors.

1. 45 C.F.R. §164.408(a)-(b).

2. U.S. Dep't of Health and Human Servs. Office for Civ. Rights, Breaches Affecting 500 or More Individuals, (April 23, 2016).

3. Id.

4. Id.

5. Id.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.