According to a new study in JAMA, data breaches into people’s protected health information (PHI) records are increasing: “[The] study that found almost 30 million health records nationwide were involved in criminal theft, malicious hacking or other data breaches over four years,” notes the AP reporting on the study.

That’s a lot of data theft. Previous researchers supposed the data stealing is occurring primarily for identity theft reasons, or for medical identity theft (a specialized kind of identity theft that, in one common scenario, allows criminals to profit off of fraudulent billings to Medicare).

But the numbers still pale in comparison to credit card thefts — an ecosystem predicated on the very idea of security for the past five decades. In fact, despite spending countless millions of dollars a year to try and stop such hacking and fraudulent activity, the credit card industry has suffered from spectacular failures in the past few years.

Perspective is everything. Is 30 million records over 4 years a concern? Sure it is… but let’s see how it compares to the credit card data hacks over just these past few years.

• Home Depot lost 55 million credit card numbers to hackers last year
• Target lost 40 million credit card numbers to hackers in 2013
• TJ Maxx/Marshalls lost 94 million in 2005 (though they initially claimed it was just half that number)
• Heartland Payment Systems — one of the very companies setup to ensure your credit card information is secured when it’s being transmitted — lost an astonishing 130 million credit card numbers to hackers in 2008
• 90 million Sony customers’ information was hacked in 2011

Obviously, credit card information is far more useful to a criminal than most people’s medical records. While medical records can be turned into potential profit, the effort is usually much higher to do so.

Don’t get me wrong… Getting credit card numbers through identity theft of one’s medical records is a real potential concern. It happens. But hacking medical records to do it seems like a long way ’round to get to such information.

The real problem with the study perhaps isn’t the study itself (Liu et al., 2015), but the publicity surrounding it and how its results are being spun — by both JAMA and the media.

Scare Mongering, JAMA-Style

One of the scare-mongering red flags that caught my attention in the AP article was its reference to a JAMA editorial that accompanied the new study:

A JAMA editorial says there’s evidence that the incidents are leading some patients to avoid giving doctors sensitive information about their health, including substance abuse, mental health problems, and HIV status.

“Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States,” the editorial said.

Which mirrors what the actual JAMA editorial says:

Concerned patients may also withhold sensitive information about issues such as mental health, substance abuse, human immunodeficiency virus status, and genetic predispositions. Surveys suggest this may already be happening to some degree.(2) Loss of trust in an electronic health information system could serious undermine efforts to improve health and health care in the United States.

Dire words indeed.

However, the lone study the editorial points to in order to support this statement actually found nothing of the sort (Agaku, 2014).

That survey, conducted on 3,959 U.S. adults in 2011 and 2012, queried subjects about their feelings about the use, security and privacy of their PHI (protected health information) — their medical records. This survey wasn’t about electronic records specifically — it was about a person’s medical data, whether in paper form and faxed, or stored in an electronic health record.

In part, that study found:

[…] 12.3% of US adults reported that they had withheld information from a healthcare professional during 2011-2012 2012, which was similar to the proportion that had engaged in similar privacy protective behaviors in 2005 (13%) and 1999 (15%). This unabated trend may be due to fact that PHI security breaches have become increasingly more prevalent in recent times in the USA.

In fact, look at that trend line in the data the researcher mentioned — it’s going down! People are actually saying they’re withholding less information from a health care professional due to privacy or security concerns than they did in 1999. Interesting that the JAMA editorial didn’t note that.

It’s easy to gloss over such trends and findings when they don’t fit into the narrative you’re trying to paint — that we should be scared by medical data breaches. In fact, the AP headline sums up the scare-mongering nicely: “Study: Patients’ medical records under threat from increasing hackings & other data breaches.”

Yes, perhaps they are. But probably no more so than any other electronic personal information. And certainly not more than criminals’ attempts to attain credit card numbers.

The fact is, as long as humans interact with computer systems, there will always be opportunities for data leaks and social engineering scams. We can do our best — and must do our best — to implement safeguards into our systems (whether they be paper, social, or electronic) to minimize such breaches.

But we should not fear the problem is getting worse. And we should not inject scary headlines into the discussion to try and make people fear something more than they should. They have no place in rational discourse on this complex topic.

References

Israel T Agaku , Akinyele O Adisa , Olalekan A Ayo-Yusuf , Gregory N Connolly. (2014). Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. Journal of the American Medical Informatics Association. DOI: http://dx.doi.org/10.1136/amiajnl-2013-002079.

Liu, V., Musen, MA, Chou, T. (2015). Data breaches of protected health information in the United States. JAMA. DOI: 10.1001/jama.2015.2252.