11 Million Affected By Major BreachesOf 288 Incidents Since September 2009, Only 32 Reported This Year
As of June 22, the federal list of major healthcare information breaches that have occurred since September 2009 included 288 cases affecting a total of slightly less than 11 million individuals.
Sixteen breach incidents affecting about 120,000 individuals have been added to the list since May 20. The Department of Health and Human Services' Office for Civil Rights adds incidents to its list as it confirms the details.
So far this year, only two breach incidents have affected more than 100,000:
- The Health Net breach, which affected 1.9 million and involved hard drives missing from a data center managed by IBM (See: Health Net Breach Tops Federal List); and
- A breach at Eisenhower Medical Center in Rancho Mirage, Calif., involving the theft of a desktop computer, affecting more than 514,000.
Other Large BreachesOther breaches affecting at least 1 million that have been placed on the federal list since its inception include:
- A December 2010 incident at New York City Health & Hospitals Corp. involving the theft of backup tapes from a truck that was transporting them for storage, affecting 1.7 million.
- A December 2009 incident at insurer AvMed involving the theft of a laptop, affecting 1.2 million; and
- An October 2009 incident at BlueCross BlueShield of Tennessee involving the theft of 57 hard drives, affecting more than 1 million.
The theft or loss of various computer devices, including laptops, desktop computers and servers, as well as other portable devices and media, account for about 57 percent of the incidents on the Office for Civil Rights' tally. Laptops were involved in about 44 percent of these thefts or losses.
About 20 percent of all incidents have involved a business associate, including two of the largest cases - Health Net and New York City Health & Hospitals.
In a recent interview, regulatory expert Christopher Hourihan, manager of development and programs at Health Information Trust Alliance, advised healthcare organizations to ask their business associates to provide a copy of their latest risk assessment as well as their corrective action plan for mitigating risks.
"Organizations should be asking their business associates about how they secure protected health information," he said. In particular, they should press their business associates for details on security controls for mobile devices and media, he stresses.
HITECH Act MandateOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Act breach notification rule took effect.
The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.
A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.