About one out of every six data breaches involving data covered by the Health Insurance Portability and Accountability Act (HIPAA) are at a “business associate” of a healthcare facility, which could include collection agencies, according to a report published by the Journal of the American Medical Association.
Since 2010, more than 175 million patient records have been compromised in data breaches, according to the report. By far, the overwhelming majority of breaches have occurred at what the report calls health plans, which the report defines as the entity that provides or pays the cost of medical care. Health plans have been responsible for 110 million of the 175 million reported records that have been compromised in breaches, according to the report. Business associates have accounted for 29 million records being breached, while health care providers have accounted for 37 million records being compromised.
The number of data breaches involving HIPAA data has increased dramatically since 2010, when a law went into effect that requires entities notify individuals when a breach of more than 500 records occurs. There were 199 such breaches in 2010; by 2017, that total had increased to 344.
Email and network servers are the places where most records involved in a breach are found, compared with stolen laptops and actual paper files, which were the most popular back in 2010. The average data breach involves 2,300 records, according to the report.