Hackings of data from healthcare firms and doctors jumped over 1,800 percent from 2008-2013, but the federal law governing privacy isn’t tough enough to force a major tightening of security, according to a new study.

Reviewing Health and Human Services reports of data breaches where more than 500 patients were exposed, the Brookings Institution found that the number went from just 13 in 2008 to 256 in 2013, impacting 9 million in 2014.

The report follows the news that health insurer Anthem was hacked, exposing potentially 80 million current and former customers.

“The healthcare sector is an increasingly attractive target for hackers,” said the Brookings report and review of data provided to the think tank from the Office for Civil Rights at HHS.


The data showed that all sectors of the healthcare industry are targets, even local doctors.

While the numbers in the post on Brookings’ “Tech Tank” blog are disturbing, the authors point out another troubling aspect of healthcare and the privacy law, the Health Insurance Portability and Accountability Act.

They note that while customers of firms hacked in the past like Target can simply take their business elsewhere, it is hard to move into new health insurers because their employers have long-term contracts with companies like Anthem. Also, it is often difficult to find new doctors.

And Brookings said that the top fine a healthcare provider faces is $1.5 million, maybe not enough to force the biggest firms to spend heavily on security.

Said the think tank’s blog post: “According to the latest revision of HIPAA, health care organizations that ‘knew, or by exercising reasonable diligence would have known’ of the privacy violations but did not prevent them could potentially be fined a maximum of $1.5 million. To put this in perspective, note that the net income of Anthem in 12 months ending in December 31st, 2014 was $2.5 billion. If Anthem were proven guilty of willful neglect, which is very unlikely, it could lose 0.00058 percent of its net income. Anthem makes that much money in one hour and 15 minutes.”

Paul Bedard, the Washington Examiner's "Washington Secrets" columnist, can be contacted at pbedard@washingtonexaminer.com.