Some 29 million private patient health records were compromised between 2010 and the end of 2013 – mostly as a result of criminal activity, say researchers, who described their findings as a likely underestimate of the magnitude of the problem.

In a research letter published April 14 in JAMA (doi:10.1001/jama.2015.2252), Dr. Vincent Liu of Kaiser Permanente in Oakland, Calif., and his colleagues at Stanford (Calif.) University, evaluated U.S. Department of Health & Human Services reports of data breaches involving 500 or more patient records covered under the Health Insurance Portability and Accountability Act (HIPAA). Of the 949 reported breach events during the 4-year study period, 67% involved electronic media while about 20% were attributed to paper records. Laptop or portable device theft accounted for 33% of all breaches reported.

Importantly, the frequency of breaches from hacking and unauthorized access increased significantly during the study period (from 12% in 2010 to 27% in 2013), and breaches involving external vendors represented 29% of all incidents.

“Given the rapid expansion in electronic health record deployment since 2012, as well as the expected increase in cloud-based services provided by vendors supporting predictive analytics, personal health records, health-related sensors, and gene-sequencing technology, the frequency and scope of electronic health care data breaches are likely to increase,” Dr. Liu and colleagues wrote.

“Our study was limited to breaches that were already recognized, reported, and affecting at least 500 individuals [as required by the HITECH Act of 2009],” Dr. Liu and colleagues wrote. “Therefore, our study likely underestimated the true number of health care data breaches occurring each year.” The study was funded by Permanente Medical Group and the National Institutes of Health. None of its authors reported any relevant conflicts of interest.