Healthcare Data Breaches Exceed 500

In September 2009, following the incorporation of the requirements of the HITECH Act into HIPAA legislation, the Department of Health and Human Services started monitoring healthcare data breaches. Since that date all data breaches affecting over 500 individuals must be reported within 60 days of the breach being discovered.

Over 21.2 million individuals have been affected by healthcare data breaches since records started being kept, and the tally of data braches has now exceeded the 500 milestone.

The Health Insurance Portability and Accountability Act was introduced with a number of aims, one of which was to ensure Protected Health Information is safeguarded and protected from unauthorized access, disclosure, hacking, loss and theft. The legislation also covers patient privacy and restricts the information that can be disclosed without authorization.

HIPAA is supposed to ensure that all covered entities implement administrative, technical and physical safeguards to protect PHI and meet a minimum national standard of data security. The problem is that covered entities are not doing enough, are failing to adhere to the rules and are not committing enough resources to privacy and security matters.

While this major milestone has been reached which is bad news, it is certainly a good sign that the number of data breaches reported in 2012 has decreased from last year and also that the number of major breaches has similarly fallen. 2011 saw 5 large scale data breaches affecting over half a million individuals, whereas in 2012 only one data breach was recorded which affected more than 500,000 people. This can be taken as a sign that HIPAA regulations are having some effect.

The main cause of data breaches – 54% of reports – was the loss and theft of portable devices used to store PHI, and Business Associates are clearly struggling with HIPAA regulations, being responsible for 20% of data breaches since September, 2009.

The Office for Civil Rights posts details of PHI breaches on its website, on what is commonly referred to as its “Wall of Shame.” In 2012, 91 incidents were added, many of those were relatively small. There were only four data breaches reported for the entire year that involved over 100,000 records. Out of the data breaches posted, 2.06 million individuals have had their PHI exposed.

This is a considerable improvement from last year when 148 data breaches were posted on the website, which affected 10.8 million individuals.

The year is not yet over so there may be more breach reports made; however there have been some notable breaches this year. The largest involved the Utah Department of Health where hackers obtained 780,000 health records, Emory Healthcare lost 10 computers containing 315,000 individuals, the South Carolina Department of Health and Human Services had an employee-related HIPAA breach which exposed 228,000 records – they were emailed to a personal email account by an employee – and the Memorial Healthcare System reported a data breach in July caused by issues with a web portal. That incident compromised the data of 102,000 patients.

It has been pointed out that since reporting of breaches has become mandatory and is being enforced, the real state of healthcare data security and privacy can be assessed. The figures today are likely to be far more accurate than in previous years, and certainly before the HHS started keeping a record of breaches. Also, since fines have started to be issued, healthcare providers and other covered entities have realized that compliance is no longer something that can be put on the back burner and they are now taking action.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.