Top 5 Health information security threats for medical practices

Despite having their computers secured by antivirus software, firewall and password protected logins – medical practices have increasingly fallen prey to data security breaches. In most cases, it is an inside job, however these breaches could have been evaded if proper security measures were followed.

Here are the top 5 health information security breach incidents (reported to the Secretary HHS) that have caused serious damage to the medical practices and compromised the protected health information of millions of patients.

Hacking network server/workstation

In a data breach incident, a hacker broke into the service’s server of the Utah Department of Technology and hacked personal data (SSN, contact information, PHI) belonging to 780,000 patients archived on the server. The hacker was successful in breaching the security of the server by intercepting a weak password.

Improper disposal of documents, X-rays and clinical reports

Clinical records of 2,850 individuals were compromised when a third party found documents containing the information in a recycling container (instead of paper shredders) behind the building of South Carolina Department of Health and Environmental Control. In a similar incident, St. John’s Mercy Medical Group improperly disposed off patients’ Protected Health Information in a dumpster outside of a doctor’s office.

Lost portable devices and backup CDs

While in transit on public transportation, a laptop was lost by an employee of Health Services for Children with Special Needs which contained PHI of 3,800 individuals. In another reported breach, Mercer Health & Benefits lost a server backup tape containing roughly 375,000 individuals as it was being sent via courier. Eden Medical Center lost two USB storage devices containing ePHI of 1,474 individuals.


A desktop and four laptop computers were stolen from the Detroit Department of Health and Wellness Promotion’s locked facility. Following the breach, the covered entity installed new office door locks with assigned keys, installed security cameras with alarms, and physically secured computers to desks. Moreover, several incidents of laptop theft and external hard drives stolen from cars have been reported.

Unauthorized access or disclosure

According to a breach report, former employees of E. Brooks Wilkins Family Medicine took protected health information (PHI) pertaining to 13,000 patients and disclosed it to a competing medical practice. Moreover, there are incidents of passing on PHI through Email to third parties and other misuses.

[All the data breach incidents mentioned here have been sifted from HHS report. ]

It is obvious from this data breach track sheet that technology as well as the use of technology needs to be examined to avoid security breaches.

EHRs security risk assessment
SequelMed EHR maintains the security of health information by strictly maintaining HIPAA’s security and data encryption standards. On the topic, Ms. Rebecca Morehead, a practice management strategist suggests a few security risk assessment components for a secure use of electronic health record (EHR) systems. She suggests,

  • A review of security procedures at every level including management, clinicians and IT staff.
  • Risk management procedures and review of external accesses to your network.
  • Analyze threats to confidentiality, integrity and availability of protected information.
  • Establish measures to identify future security risks.
  • A process for integrating continuing security updates.

Additionally, you can voice your concerns and issues about health information security by sending us a direct message or submit comments below.

About Jamil Ahmad

Jamil Ahmad is a Health IT enthusiast and Editor of SequelMed Blog. He writes insightful blog posts about EHR, EMR, Meaningful Use program and Healthcare IT scene. His experience as media and communication specialist and journalistic background has earned him the skills necessary to create engaging content for a wider audience. He can be contacted through his Twitter handle @HITBlogger

Leave a Reply