The federal tally of individuals affected by major healthcare information breaches since September 2009 now exceeds 20 million. But two recently reported major incidents, estimated to have affected a combined total of more than 675,000, have yet to make the list, which now includes 435 incidents.
As of May 23, the breach list includes 29 incidents in 2012 affecting a total of about 935,000. By far the largest of those breaches is a Utah Department of Health hacking incident affecting 780,000 individuals, including Medicaid clients, Children's Health Insurance Plan recipients and others.
Not yet on the list are:
- An Emory Healthcare breach involving 10 missing computer disks, affecting 315,000 surgical patients; and
- A South Carolina Department of Health and Human Services breach affecting 228,000 Medicaid recipients. The incident involved a now-fired employee who was arrested for allegedly transferring patient information to his personal e-mail account.
The Department of Health and Human Services' Office for Civil Rights adds breaches to its tally after it conducts an investigation and confirms the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.
More than half of all the major breaches reported since the rule went into effect have involved lost or stolen unencrypted electronic devices or media. By comparison, only about 7 percent have involving a hacker attack. About 22 percent of the breaches have involved a business associate.
Utah Hacking Incident
The Utah hacking incident is listed as involving a business associate because the hacked unencrypted computer was maintained by the Utah Department of Technology Services. The Utah breach is, by far, the largest of about 32 hacking incidents on the list of major breaches.
On May 15, Utah Gov. Gary Herbert announced he was taking several steps in the wake of the breach, including replacing the state's chief technology officer, hiring Deloitte & Touche to conduct an independent security audit of all information technology across all state agencies and creating a new position, health data security ombudsman, who will work with breach victims on case management, credit counseling and public outreach (See: Utah Breach: Governor Takes Action).
Herbert said data stored on all state servers will be encrypted, rather than just encrypting data in transit. And the state also is hiring a public relations firm to help handle "crisis communications."
Health department officials acknowledged that the breach, which they believe was the work of East European hackers, involved a server that was protected with a weak password.
Breach Notification Rule
An interim final version of the HIPAA breach notification rule, which is now in effect, will be replaced in the coming months by a final, beefed-up rule. The HHS Office for Civil Rights recently submitted a proposal for the final rule to the Office of Management and Budget for review. Once that review is completed, the final rule is slated to be published as part of an omnibus package of regulations, which also will include modifications to the HIPAA privacy and security rules.
The final version of the breach notification rule will include clarification of how to determine whether a breach must be reported to federal authorities, Susan McAndrew, OCR's deputy director of health information privacy, said in a recent interview (see: HIPAA Modifications: What to Expect). The interim final version of the breach rule contains a controversial harm standard that requires healthcare organizations to conduct a risk assessment to determine if a breach represents a significant risk of harm and thus must be reported.
"We are hopeful that the standards [in the final rule] will be sufficiently clear for how to determine if a breach is reportable, McAndrew said. "We're working on some additional guidance which will help entities, particularly smaller entities that may encounter breaches, to help them identify what the proper steps are to a risk assessment."