Many types of important and sensitive personal information – like bank account details, identification numbers, and internet browsing history – are known to be vulnerable to undisclosed sharing and security breaches.  

But what about medical records? A new study by two physicians from Massachusetts General Hospital has concluded that breaches to people’s health data are alarmingly frequent and large scale.

Writing in the Journal of the American Medical Association, Dr Thomas McCoy Jr and Dr Roy Perlis state that 2,149 breaches comprising a total of 176.4 million records occurred between 2010 and 2017. Their data was drawn from the US Health and Human Services Office for Civil Rights breach database, where all breaches of American patient records must be reported under US law.

They found that the number of breach events has increased every year during that period, except for in 2015. Though this research encompasses a number of forms of data breach that were perpetrated for different reasons, Healthcare Analytics News notes that individual patient records may sell for up to $300 to $400 on the dark web.

“Despite the ethical and legal obligation to protect patient privacy and efforts to establish best practices for health care information security, breach rates have increased and health care providers accounted for a large share of those breaches,” the authors wrote.

Overall, paper and film-based information were the most commonly compromised type of medical record, with 510 breaches involving 3.4 million records, but the frequency of this type of breach went down across the study period and the largest share of breached records – 139.9 million – came from infiltration into network servers storing electronic health records (EHRs). The frequency of hacking-based breaches went up during the study period. These patterns were undoubtedly caused by the ongoing shift away from physical records to EHRs.

McCoy and Perlis found that the majority of breaches occurred due to the actions of health care providers, though compromised systems in health plan companies accounted for more total records infiltrated.

“Although networked digital health records have the potential to improve clinical care and facilitate learning [in] health systems, they also have the potential for harm to vast numbers of patients at once if data security is not improved,” they said.

In a real-life example of one of these breaches, earlier this month the University of Massachusetts Memorial Health Care system was forced to pay the state $230,000 in fines after the Massachusetts Attorney General alleged that the higher-ups at their facilities did not adequately respond to internal tip-offs about two employees who used patient information to open credit card and cell phone accounts. The lawsuit argued that management violated the Health Insurance Portability and Accountability Act (HIPAA), the Consumer Protection Act, and the Massachusetts Data Security Law when they did not properly respond to the complaints or take the necessary steps to safeguard patient data.