20 Million Affected by Health Breaches

Federal List Now Includes 435 Incidents
20 Million Affected by Health Breaches

The federal tally of individuals affected by major healthcare information breaches since September 2009 now exceeds 20 million. But two recently reported major incidents, estimated to have affected a combined total of more than 675,000, have yet to make the list, which now includes 435 incidents.

See Also: 2015 Fraud Mitigation & DDoS Response Study

As of May 23, the breach list includes 29 incidents in 2012 affecting a total of about 935,000. By far the largest of those breaches is a Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children's Health Insurance Plan recipients and others.

Not yet on the list are:

The Department of Health and Human Services' Office for Civil Rights adds breaches to its tally after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.

More than half of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack. About 22 percent of the breaches have involved a business associate.

Utah Hacking Incident

The Utah hacking incident is listed as involving a business associate because the hacked unencrypted computer was maintained by the Utah Department of Technology Services. The Utah breach is, by far, the largest of about 32 hacking incidents on the list of major breaches.

On May 15, Utah Gov. Gary Herbert announced he was taking several steps in the wake of the breach, including replacing the state's chief technology officer, hiring Deloitte & Touche to conduct an independent security audit of all information technology across all state agencies and creating a new position, health data security ombudsman, who will work with breach victims on case management, credit counseling and public outreach (See: Utah Breach: Governor Takes Action).

Herbert said data stored on all state servers will be encrypted, rather than just encrypting data in transit. And the state also is hiring a public relations firm to help handle "crisis communications."

Health department officials acknowledged that the breach, which they believe was the work of East European hackers, involved a server that was protected with a weak password.

Breach Notification Rule

An interim final version of the HIPAA breach notification rule, which is now in effect, will be replaced in the coming months by a final, beefed-up rule. The HHS Office for Civil Rights recently submitted a proposal for the final rule to the Office of Management and Budget for review. Once that review is completed, the final rule is slated to be published as part of an omnibus package of regulations, which also will include modifications to the HIPAA privacy and security rules.

The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, Susan McAndrew, OCR's deputy director of health information privacy, said in a recent interview (see: HIPAA Modifications: What to Expect). The interim final version of the breach rule contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.

"We are hopeful that the standards [in the final rule] will be sufficiently clear for how to determine if a breach is reportable, McAndrew said. "We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment."

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network