20 Million Affected by Health Breaches

Federal List Now Includes 435 Incidents

By , May 23, 2012.
20 Million Affected by Health Breaches

The federal tally of individuals affected by major healthcare information breaches since September 2009 now exceeds 20 million. But two recently reported major incidents, estimated to have affected a combined total of more than 675,000, have yet to make the list, which now includes 435 incidents.

See Also: Security Alerts: Identifying Noise vs. Signals

As of May 23, the breach list includes 29 incidents in 2012 affecting a total of about 935,000. By far the largest of those breaches is a Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children's Health Insurance Plan recipients and others.

Not yet on the list are:

The Department of Health and Human Services' Office for Civil Rights adds breaches to its tally after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.

More than half of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack. About 22 percent of the breaches have involved a business associate.

Utah Hacking Incident

The Utah hacking incident is listed as involving a business associate because the hacked unencrypted computer was maintained by the Utah Department of Technology Services. The Utah breach is, by far, the largest of about 32 hacking incidents on the list of major breaches.

On May 15, Utah Gov. Gary Herbert announced he was taking several steps in the wake of the breach, including replacing the state's chief technology officer, hiring Deloitte & Touche to conduct an independent security audit of all information technology across all state agencies and creating a new position, health data security ombudsman, who will work with breach victims on case management, credit counseling and public outreach (See: Utah Breach: Governor Takes Action).

Herbert said data stored on all state servers will be encrypted, rather than just encrypting data in transit. And the state also is hiring a public relations firm to help handle "crisis communications."

Health department officials acknowledged that the breach, which they believe was the work of East European hackers, involved a server that was protected with a weak password.

Breach Notification Rule

An interim final version of the HIPAA breach notification rule, which is now in effect, will be replaced in the coming months by a final, beefed-up rule. The HHS Office for Civil Rights recently submitted a proposal for the final rule to the Office of Management and Budget for review. Once that review is completed, the final rule is slated to be published as part of an omnibus package of regulations, which also will include modifications to the HIPAA privacy and security rules.

The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, Susan McAndrew, OCR's deputy director of health information privacy, said in a recent interview (see: HIPAA Modifications: What to Expect). The interim final version of the breach rule contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Sony Hack: FBI Issues Malware Alert

A confidential FBI "flash" alert is warning of "wiper" malware attacks - that delete hard drive...

Latest Tweets and Mentions

ARTICLE Sony Hack: FBI Issues Malware Alert

A confidential FBI "flash" alert is warning of "wiper" malware attacks - that delete hard drive...

The ISMG Network