Peer-reviewed medical study on privacy protections at US hospitals

Here is an interesting Research Letter in JAMA Internal Medicine entitled "Hospital Risk of Data Breaches." (Paywall.)  The authors reviewed DHHS data on hospital breaches from 2009 to 2016.

The reviewed data suggest that breaches are more likely to happen at teaching hospitals than at non-teaching hospitals, and that the risk of breaches increases with the size of the institution.

From a legal perspective, the baseline obligation to secure and competently handle patient medical records across the lifecycle of that information -- and the lifecycle of the patients -- applies more or less equally no matter the size of the institution.  But many information security standards incorporate duties of reasonable care.  In practice, reasonableness means that entities on notice that they face greater risk of breach must take more extensive measures to mitigate that risk.  (This is especially so under the tort framework, where clients find themselves sorting out issues post-breach:  reasonableness and liability will be assessed in hindsight.)

To a privacy litigator, the Letter is potentially useful as a Plaintiff's exhibit in a breach action against a large hospital.  "Your honor, as a big old teaching hospital, they're on notice of the substantial risk, and the risk required greater protections than they took . . ."

Consumer Reports notes,

Hospital data breaches are a fairly regular occurrence these days and can result in your Social Security number, health insurance ID, and other personal information being exposed and misused. For instance, your info may be used to perpetrate medical identity fraud—in which someone else obtains medical care in your name and leaves you with the bills and falsified medical records.

Via Consumer Reports, whose spin is a listicle entiteld "Protect Yourself From a Hospital Data Breach."  (Right.  How many consumers of medical care choose their provider on the basis of perceived privacy standards?  Not the ones who arrive in the back of an ambulance. . .)

Final observation.  The lead author of the JAMA letter is from Carey Business School at Johns Hopkins; all authors are PhDs and CPAs affiliated with Business Schools.  Did they consult a lawyer during the pre-publication review process?