Share this article on:
Redskin has released its 5th annual report of HIPAA breaches reported to the Secretary of Health & Human Services’ Office of Civil Rights (OCR).
According to the report there were 164 PHI breaches reported during 2014 which affected approximately 9 million Americans. The data shows there has been a 25% increase in breaches compared to 2013.
Last year’s data breaches – including the CHS breach which exposed the data of 4.5 million patients – brings the number of breach victims since the passing of the HITECH Act to over 40 million, although this figure has now potentially been tripled following the Anthem mega breach reported earlier this month.
This year’s breach ranks as one of the all time biggest data breaches ever recorded, eclipsing the previous largest healthcare data breaches by many orders of magnitude. To give a better idea of scale, it exposed almost 6 times the data of the huge Tricare breach in 2011, the Community Health System of 2014 and Advocate Medical Group’s HIPAA breach in 2009, which exposed 4.9 million and 4.5 million and 4,029,530 records respectively.
According to a statement released by Redspin President and CEO, Daniel W. Berger, “From here on, all PHI breach statistics are going have to be reported as ‘pre- or post-Anthem,’ he went on to say “It’s that big. We wouldn’t be surprised to see the costs of the Anthem breach exceed a billion dollars.”
Hacking Created the Most Victims
Last year’s data breaches followed a similar pattern to 2013, with the top five breaches of both years responsible for exposing the vast majority of data. In 2013 the top 5 HIPAA breaches exposed the data of 85.4% of the total number of affected individuals, with 2014 affecting 82.8%.
2013 was the year where healthcare organizations were hardest hit by the loss and theft of laptops and portable devices. 2014 was the year of the hacker, with it surpassing device theft and loss as the major cause, albeit as a result of one huge hacking incident which exposed the data of 50% of the year’s total.
The Redspin report paints a bleak picture for 2015 and predicts a spike in data breaches. There is a major prize at stake given the value of healthcare data, the huge volume of data stored and a lack of controls to prevent access. The report says “There might as well be a target on the industry’s back.”
Theft of Unencrypted Devices is the Top Cause of HIPAA Breaches
Hackers may have stolen the most data, but they only accounted for 14% of the total breaches recorded for the year. The main cause of HIPAA breaches was the theft of unencrypted storage devices and computer hardware used to store or access PHI, which accounted for 40.8%. Laptop theft alone accounted for a quarter of all incidents and 22% involved paper records
How to Avoid HIPAA breaches
The advice offered in the report to healthcare providers, clearing houses, health plans and other covered entities is to conduct a full and thorough risk assessment to identify all vulnerabilities, and to do this routinely and not just once a year.
It recommends “an integrated program of policies, controls, technical safeguards, organizational accountability, enforcement, training, and leadership,” and all are needed to prevent data breaches.