Hospital Risk of Data Breaches mended screening to women 40 years or older. Our findings are largely consistent with a 2014 survey of PCPs from 4 clinical networks where similar proportions of physicians recommended screening with higher rates noted among gynecologists.5 We also found sharp differences in recommen- dations based on which guidelines physicians trusted most, which may suggest that current practices reflect both varying adherence to guidelines as well as differences in which guide- lines are trusted. The results provide an important bench- mark as guidelines continue evolving and underscore the need to delineate barriers and facilitators to implementing guide- lines in clinical practice. Archana Radhakrishnan, MD, MHS Sarah A. Nowak, PhD Andrew M. Parker, PhD Kala Visvanathan, MD, MHS Craig Evan Pollack, MD, MHS Author Affiliations: Division of General Internal Medicine, Johns Hopkins University, Baltimore, Maryland (Radhakrishnan, Pollack); RAND Corporation, Santa Monica, California (Nowak); RAND Corporation, Pittsburgh, Pennsylvania (Parker); Department of Epidemiology, Johns Hopkins Bloomberg School of Public Health, Baltimore, Maryland (Visvanathan); Department of Oncology, Johns Hopkins School of Medicine, Baltimore, Maryland (Visvanathan); Johns Hopkins Bloomberg School of Public Health, Baltimore, Maryland (Pollack). Corresponding Author: Archana Radhakrishnan, MD, Division of General Internal Medicine, Johns Hopkins University, 2024 E Monument St, Ste 2-300C, Baltimore, MD 21287 (aradhak3@jhu.edu). Published Online: April 10, 2017. doi:10.1001/jamainternmed.2017.0453 Author Contributions: Dr Radhakrishnan had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis. Study concept and design: Radhakrishnan, Nowak, Parker, Pollack. Acquisition, analysis, or interpretation of data: Radhakrishnan, Nowak, Parker, Visvanathan, Pollack. Drafting of the manuscript: Radhakrishnan. Critical revision of the manuscript for important intellectual content: Nowak, Parker, Visvanathan, Pollack. Statistical analysis: Radhakrishnan, Parker. Obtained funding: Nowak, Parker, Pollack. Administrative, technical, or material support: Pollack. Study supervision: Pollack. Conflict of Interest Disclosures: None reported. 1. Oeffinger KC, Fontham ETH, Etzioni R, et al; American Cancer Society. Breast cancer screening for women at average risk: 2015 guideline update from the Ameri- can Cancer Society. JAMA. 2015;314(15):1599-1614. doi:10.1001/jama.2015.12783 2. Siu AL; U.S. Preventive Services Task Force. Screening for breast cancer: U.S. Preventive Services Task Force Recommendation Statement. Ann Intern Med. 2016;164(4):279-296. doi:10.7326/M15-2886 3. American College of Obstetricians-Gynecologists. Practice bulletin no. 122: Breast cancer screening. Obstet Gynecol. 2011;118(2, pt 1):372-382. doi:10.1097 /AOG.0b013e31822c98e5 4. Peterson EB, Ostroff JS, DuHamel KN, et al. Impact of provider-patient communication on cancer screening adherence: a systematic review. Prev Med. 2016;93:96-105. doi:10.1016/j.ypmed.2016.09.034 5. Haas JS, Sprague BL, Klabunde CN, et al; PROSPR (Population-based Research Optimizing Screening through Personalized Regimens) Consortium. Provider attitudes and screening practices following changes in breast and cervical cancer screening guidelines. J Gen Intern Med. 2016;31(1):52-59. doi:10.1007/s11606-015-3449-5 Hospital Risk of Data Breaches As the adoption of electronic record and health information tech- nology rapidly expands, hospitals and other health providers increasingly suffer from data breaches.1 A data breach is an im- permissible use or disclosure that compromises the security or privacy of the protected health information and is commonly caused by a malicious or criminal attack, system glitch, or hu- man error.2,3 Policy makers, hospital administrators, and the public are highly interested in reducing the incidence of data breaches. In this retrospective data analysis, we use data from the Department of Health and Human Services (HHS) to exam- ine what type of hospitals face a higher risk of data breaches. Methods | Under the Health Information Technology for Eco- nomic and Clinical Health Act of 2009, all heath care providers covered by the Health Insurance Portability and Accountabil- ity Act must notify HHS of any breach of protected health in- formation affecting 500 or more individuals within 60 days from the discovery of the breach. The Department of Health and Hu- man Services publishes the submitted data breach incidents on its website, with the earliest submission date as October 21, 2009. We were able to link 141 acute care hospitals to their 2014 fiscal year Medicare cost reports filed with the Centers for Medi- care and Medicaid Services (CMS). The unlinked hospitals in- clude long-term care hospitals, Veterans Affairs and military hos- pitals, hospital systems, and hospitals unidentifiable in the CMS data set. We applied multivariable and regression analyses to compare these 141 hospitals with other acute care hospitals to understand what type of hospitals face a higher risk of breaches.4 Statistical analysis was performed with SAS 9.4 (SAS Institute Inc) and STATA 14 (StataCorp LLC). For statistical analysis, t tests were used, and P < .05 was considered significant. Results | Between October 21, 2009, and December 31, 2016, 1798 data breaches were reported.5 Among them, 1225 breaches Figure 2. Proportion of Physicians Who Recommend Breast Cancer Screening Categorized by Which Guidelines Physicians Report Trusting the Most 100 80 60 40 20 90 70 50 30 10 0 40-44 45-49 ≥7555-74 Ph ys ic ia ns , % 50-54 ACS ACOG USPSTF Guidelines a a a Age Group, y ACOG, American Congress of Obstetricians and Gynecologists; ACS, American Cancer Society; USPSTF, US Preventive Services Task Force. aDenotes statistically significant (P < .05) differences based on most trusted organizational guideline. Letters 878 JAMA Internal Medicine June 2017 Volume 177, Number 6 (Reprinted) jamainternalmedicine.com © 2017 American Medical Association. All rights reserved. Downloaded From: https://jamanetwork.com/ by a Carnegie Mellon University User on 04/05/2021 mailto:aradhak3@jhu.edu http://jama.jamanetwork.com/article.aspx?doi=10.1001/jamainternmed.2017.0453&utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jamainternmed.2017.0453 http://jama.jamanetwork.com/article.aspx?doi=10.1001/jama.2015.12783&utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jamainternmed.2017.0453 http://dx.doi.org/10.7326/M15-2886 http://dx.doi.org/10.1097/AOG.0b013e31822c98e5 http://dx.doi.org/10.1097/AOG.0b013e31822c98e5 http://dx.doi.org/10.1016/j.ypmed.2016.09.034 http://dx.doi.org/10.1007/s11606-015-3449-5 http://www.jamainternalmedicine.com/?utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jamainternmed.2017.0336 were reported by health care providers and the remaining by business associates, health plans, or health care clearing houses. There were 257 breaches reported by 216 hospitals in the data, with median (interquartile range [IQR]) 1847 (872- 4859) affected individuals per breach; 33 hospitals that had been breached at least twice and many of which are large ma- jor teaching hospitals (Table 1). Table 2 lists hospitals with more than 20 000 total affected individuals. For the 141 acute care victim hospitals linked to their 2014 CMS cost reports, the me- dian (IQR) number of beds was 262 (137-461) and 52 (37%) were major teaching hospitals. In contrast, among 2852 acute care hospitals not identified as having breaching incidents, the me- dian (IQR) number of hospital beds was 134 (64-254), and 265 (9%) were major teaching hospitals. Hospital size and major teaching status were positively associated with the risk of data breaches (P < .001). Discussion | A fundamental trade-off exists between data secu- rity and data access. Broad access to health information, es- sential for hospitals’ quality improvement efforts and re- search and education needs, inevitably increases risks for data breaches and makes “zero breach” an extremely challenging objective. The evolving landscape of breach activity, detec- tion, management, and response requires hospitals to con- tinuously evaluate their risks and apply best data security prac- tices. Despite the call for good data hygiene,6 little evidence exists of the effectiveness of specific practices in hospitals. Identification of evidence-based effective data security prac- tices should be made a research priority. This study has 3 important limitations. First, data breaches affecting fewer than 500 individuals were not examined. Sec- ond, since each victim hospital was matched to CMS cost re- port based on the name and state, the matching might be in- complete or inaccurate for some hospitals. Finally, our analysis is limited to the hospital industry. Future studies that exam- ine the characteristics of other types of health care entities that experienced data breaches are warranted. Ge Bai, PhD, CPA John (Xuefeng) Jiang, PhD Renee Flasher, PhD, CPA Author Affiliations: The Johns Hopkins Carey Business School, Washington, DC (Bai); Eli Broad College of Business, Michigan State University, East Lansing (Jiang); Miller College of Business, Ball State University, Muncie, Indiana (Flasher). Table 1. Hospitals Breached More Than Once Between October 21, 2009, and December 25, 2016 Hospital Name State Frequency Montefiore Medical Center NY 4 University of Rochester Medical Center & Affiliates NY 4 Brigham and Women's Hospital MA 3 Cook County Health & Hospitals System IL 3 Mount Sinai Medical Center FL 3 St Vincent Hospital and Healthcare, Inc IN 3 Advocate Health and Hospitals Corporation IL 2 Aventura Hospital and Medical Center FL 2 Beth Israel Deaconess Medical Center MA 2 Children's Medical Center of Dallas TX 2 Children's National Medical Center DC 2 Florida Hospital FL 2 Georgetown University Hospital DC 2 Henry Ford Hospital MI 2 Holy Cross Hospital FL 2 Hospital for Special Surgery NY 2 Jersey City Medical Center NJ 2 Jewish Hospital KY 2 Kern Medical Center CA 2 Long Beach Memorial Medical Center CA 2 Lucile Packard Children's Hospital CA 2 Martin Army Community Hospital GA 2 Massachusetts General Hospital MA 2 Mercy Medical Center Redding CA 2 Mount Sinai Medical Center NY 2 NYU Hospitals Center NY 2 Phoebe Putney Memorial Hospital GA 2 Rady Children's Hospital - San Diego CA 2 Riverside County Regional Medical Center CA 2 St Elizabeth's Medical Center MA 2 Thomas Jefferson University Hospitals, Inc PA 2 Titus Regional Medical Center TX 2 UC Davis Medical Center CA 2 Table 2. Breached Hospitals With More Than 20 000 Total Affected Individuals Hospital Name State Total Affected Individuals Advocate Health and Hospitals Corporationa IL 4 031 767 AHMC Healthcare Inc and affiliated Hospitals CA 729 000 Jacobi Medical Center NY 90 060 Providence Hospital MI 83 945 St Vincent Hospital and Healthcare, Inca IN 65 666 Cincinnati Children’s Hospital Medical Center OH 60 998 Montefiore Medical Centera NY 53 715 Kaiser Foundation Hospital- Orange County CA 49 000 Methodist Dallas Medical Center TX 44 000 Seton Family of Hospitals TX 39 000 Jersey City Medical Centera NJ 37 847 Santa Rosa Memorial Hospital CA 33 702 Cook County Health & Hospitals Systema IL 30 148 Integrity Transitional Hospital TX 29 514 St Luke's Cornwall Hospital NY 29 156 Gibson General Hospital IN 28 893 Blount Memorial Hospital, Inc TN 27 799 Jamaica Hospital Medical Center NY 26 162 Our Lady of Peace Hospital KY 24 600 Thomas Jefferson University Hospitals, Inca PA 24 150 Children's National Medical Centera DC 22 107 Reid Hospital & Health Care Services IN 22 001 Florida Hospitala FL 21 484 Rady Children's Hospital - San Diegoa CA 20 428 a Hospitals that experienced at least 1 breach occurring between October 21, 2009, and December 31, 2016. Letters jamainternalmedicine.com (Reprinted) JAMA Internal Medicine June 2017 Volume 177, Number 6 879 © 2017 American Medical Association. All rights reserved. Downloaded From: https://jamanetwork.com/ by a Carnegie Mellon University User on 04/05/2021 http://www.jamainternalmedicine.com/?utm_campaign=articlePDF%26utm_medium=articlePDFlink%26utm_source=articlePDF%26utm_content=jamainternmed.2017.0336 Corresponding Author: Ge Bai, PhD, CPA, The Johns Hopkins Carey Business School, Bernstein-Offit Bldg 353, 1717 Massachusetts Ave NW, Washington, DC 20036 (gbai@jhu.edu). Published Online: April 3, 2017. doi:10.1001/jamainternmed.2017.0336 Author Contributions: Dr Bai had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis. Study concept and design: All authors. Acquisition, analysis, or interpretation of data: Bai, Jiang. Drafting of the manuscript: All authors. Critical revision of the manuscript for important intellectual content: All authors. Statistical analysis: Bai, Jiang. Administrative, technical, or material support: All authors. Supervision: Bai, Jiang. Conflict of Interest Disclosures: None reported. Additional Contributions:We acknowledge the valuable comments from Gerard F. Anderson, PhD, and technical support from Jianbo Liu, PhD; they did not receive compensation. 1. Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471-1473. 2. US Department of Health and Human Services. Breach Notification Rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification. Accessed December 28, 2016. 3. Ponemon Institute. Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. http://www.ponemon.org/blog/sixth-annual-benchmark -study-on-privacy-security-of-healthcare-data-1. Accessed December 28, 2016. 4. Bai G, Anderson GF. A more detailed understanding of factors associated with hospital profitability. Health Aff (Millwood). 2016;35(5):889-897. 5. The US Department of Health and Human Services. Breaches affecting 500 or more individuals. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed December 28, 2016. 6. Blumenthal D, McGraw D. Keeping personal health information safe: the importance of good data hygiene. JAMA. 2015;313(14):1424-1424. Experience and Outcomes of Hepatitis C Treatment in a Cohort of Homeless and Marginally Housed Adults Approximately 44% of homeless adults are hepatitis C virus (HCV)-infected.1-5 Historically, homeless and marginally housed (HMH) adults have faced barriers to HCV treatment. New, interferon-free therapies have excellent cure rates and improved tolerability, reducing barriers for treatment.6 To our knowledge, no published studies have documented the treat- ment of HMH populations with these therapies. The Boston Health Care for the Homeless Program (BHCHP) began treat- ing HMH adults with oral agents in 2014. Methods | We retrospectively describe the experience and outcomes of oral direct acting antiviral agents for HCV in a cohort of HCV-infected HMH adults. The study protocol was approved by the Institutional Review Board at Massachu- setts General Hospital and deemed to meet Minimal Risk cri- teria. Patients received treatment at BHCHP, a federally qualified health center providing integrated primary care services via a patient-centered medical home approach to more than 11 000 individuals in the Boston area annually. Patients were not compensated for their participation. The HCV treatment team (a c are coordinator [1.0 full-time equivalent], nurse [0.5 full-time equivalent], and 3 primary care clinicians [1 nurse practitioner, 0.25 full-time equiva- lent, and 2 primary care physicians—0.1 full-time equivalent combined]) provided care. Patients had an initial evaluation Table. Baseline Characteristics of the Cohort of 64 Hepatitis C Virus (HCV)-Infected Homeless and Marginally Housed Adults Treated With Oral Therapy Characteristic Sustained Virologic Response, No. (%) Not Achieved (n = 2) Achieved (n = 62) Age, mean (SD), y 53.5 (7.8) 55.5 (7.7) Sex Male 1 (50) 48 (77) Race Nonwhite 1 (50) 28 (53) Ethnicity Hispanic 0 45 (74) Veteran 0 5 (8) Education