Share this article on:
A new data security report released by healthcare IT security company Redspin suggests the number of data breaches reported to the U.S. Department of Health and Human Services has increased by 138% over the course of the past 12 months.
The figures are likely to be higher still, as the report only details data breaches which have been reported by HIPAA-covered organizations that have affected more than 500 individuals (incidents involving data being compromised where under 500 individuals are affected do not need to be a matter of public record and are therefore not included in the report). Even with the strict reporting requirements under the HIPAA Security Rule, many incidents involving data breaches go unreported according to industry officials.
The total number of people affected by data breaches is currently estimated to be approximately 29.3 million, although it is highly probable that the actual number of victims is far higher. The Director of Privacy and Security at HIMSS calculated the actual number of victims to be in the region of 40 and 45 million back in 2012.
Even when incidents are reported, not all of the complaints are successfully resolved. The OCR has been unable to resolve 5,447 cases of suspected HIPAA breaches and 53,000 out of the 90,000 complaints it has received resulted in cases being closed. This is not because there was no HIPAA violation, but due to other issues such as a withdrawn complaints or a lack of jurisdiction to follow up on potential security breaches and procedural failures.
While attacks by hackers has increased year on year, the Redspin report attributed just 65 of the data breaches to hackers, 22 percent due to unauthorized access and 35 percent involved the loss or theft of laptops and computers containing encrypted data. Eighty three percent of all major breaches involved the theft of devices according to the report.
Over previous years the efforts of healthcare companies have had a positive effect in reducing unauthorized access and data breaches. However, businesses are a particular security weak point, being involved in most of the major data breaches occurring between 2009 and 2012 although over the past 12 months they have only been involved in ten percent of all data breaches reported.
While not every security breach can be prevented, organizations can take a number of steps to limit the opportunity for cybercriminals to gain access to data. Education of the staff is vital and robust data encryption software can prevent data from being compromised. A regular risk inspection must be conducted to ensure that security holes are quickly identified and plugged as, according to the OCR, It is the lack of a thorough risk assessment which leads to the majority of data breaches.
The OCR is planning on recommencing random audits to test for HIPAA compliance and there is expected to be a dramatic increase in both the number of HIPAA violations uncovered and the number of HIPAA fines issued by the OCR. To date, out of the 90,000 complaints received to date only 17 have resulted in financial penalties being issued.