Health Info Breaches: Good, Bad NewsFew Incidents Added to Tally, But One Affected 400,000
As of July 22, the federal list of major breaches that have occurred since September 2009 included 292 cases affecting a total of 11.4 million individuals. This year, there have been about 36 cases affecting a total of 3.1 million, according to the list, prepared by the Department of Health and Human Services' Office for Civil Rights.
Despite the statistics for the past month and the year so far, security specialist Rebecca Herold, owner of Rebecca Herold & Associates, says, "I don't believe major breaches have actually been slowed down." She acknowledges that the increased awareness of breach threats as a result of the federal tally "has helped many organizations to take appropriate breach prevention steps." But, she adds, "Many covered entities, and perhaps most business associates, based upon my discussions with many of them, still aren't doing anything to effectively stem breach occurrences, and certainly are not reporting them to HHS, from what I've seen."
Adam Greene, a partner in the Washington law firm Davis Wright Tremaine and who until recently worked on enforcement issues at OCR, speculates that the federal breach notification rule, mandated by the HITECH Act, as well as toughened state breach regulations, could be serving as catalysts for action. He says the regulations, which pose the threat of penalties, may "have led to organizational improvements, such as encryption of mobile devices" that could be helping to prevent some breach incidents.
PC Theft IncidentAmong the four incidents that the HHS Office for Civil Rights added to the list since June 22 is a breach at Spartanburg Regional Healthcare System involving the theft of a desktop computer from an employee's car. That incident, which affected 400,000, is one of only three incidents so far this year affecting at least 100,000. The other two are:
- A breach involving insurer Health Net, which affected 1.9 million and stemmed from hard drives missing from a data center managed by IBM (See: Health Net Breach Tops Federal List); and
- A breach at Eisenhower Medical Center in Rancho Mirage, Calif., involving the theft of a desktop computer, affecting more than 514,000.
The theft or loss of various computer devices, including laptops, desktop computers and servers, as well as other portable devices and media, still account for about 57 percent of the incidents on the Office for Civil Rights' tally. About 20 percent of all incidents, including the Health Net case, have involved a business associate. To cut down on breaches stemming from theft and loss of devices and media, Herold recommends that organizations:
- Assign information security and privacy responsibility;
- Establish consistently enforced policies, with supporting procedures;
- Provide regular training and ongoing awareness communications; and
- Implement appropriate technologies, including encryption, data loss prevention, remote data wipe for mobile devices and device tracking systems.
HITECH Act MandateOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Act breach notification rule took effect.
The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.
Earlier this year, OCR officials reported that the office had received notification of at least 31,000 smaller breaches (less than 500 affected). Organizations must annually report these smaller incidents to OCR.
A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.