10.8 Million Affected by Major Breaches

Federal Tally Includes 265 Health Breaches Since September 2009
10.8 Million Affected by Major Breaches
The federal list of major healthcare information breaches that have occurred since September 2009 now includes 265 cases affecting a total of more than 10.8 million individuals.

In the past month, 16 incidents that occurred in 2010 or 2011 were added to the tally, which the Department of Health and Human Services' Office for Civil Rights regularly updates. These include the largest breach on the list so far - the Health Net incident, which affected 1.9 million - and a breach at Eisenhower Medical Center, which affected more than 500,000.

Although only 11 incidents that occurred this year have made it to the federal list so far, those cases - because of the big numbers for Health Net and Eisenhower - affected a combined total of 2.5 million.

At least four state agencies are investigating the Health Net incident in January, which involved hard drives missing from a data center managed by IBM (See: Health Net Breach Tops Federal List). The OCR list still labels the type of breach at Health Net as "unknown" and the location as "other." The office amends its list, fine-tunes the total number of individuals affected and adds details as its investigations continue.

The second largest incident on the OCR list, which occurred last December at New York City Health and Hospitals Corp., involved the theft of backup tapes stolen from a truck transporting them for secure storage (See: New York Breach Affects 1.7 Million).

Value of Encryption

The Health Net and New York cases have placed a spotlight on the need to take adequate precautions to keep data centers physically secure and to protect backup tapes with encryption. In an interview, security expert Andrew Weidenhamer of SecureState offers insights on these topics (See: Physical Security: Timely Tips). For example, he says any device or media that stores sensitive patient information, including backup tapes, should be encrypted. "Encryption is the single best way to protect sensitive data," he stresses.

To help call attention to the value of encryption and other protections, the Privacy and Security Tiger Team has recommended that participants in Stage 2 of the HITECH Act electronic health record incentive program be required to verify how they protect stored patient information (See: Privacy, Security Proposals Advance).

The Eisenhower Medical Center incident in March stemmed from the theft of a desktop computer (See: 514,000 Notified of Stolen Computer). More than half of the 265 major incidents reported so far have involved the theft or loss of computer devices. Roughly 20 percent, including the Health Net and New York City Health and Hospitals incidents, have involved business associates.

HITECH Act Mandate

OCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Act breach notification rule took effect.

The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.

A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.

Meanwhile, OCR is ramping up its enforcement efforts. For example, it announced penalties in HIPAA privacy violation cases against Cignet Health and Massachusetts General Hospital.

OCR has asked for more funding in its fiscal 2012 budget for its HIPAA and HITECH Enforcement efforts. For example, it's seeking $1.3 million to investigate smaller breach incidents, which must be reported to OCR annually under the HITECH Act.

This spring, state attorneys general are getting training on how to file HIPAA federal civil lawsuits as enabled under the HITECH Act. And a HITECH-mandated HIPAA compliance audit program is still in the works, with at least one pilot likely this year, says Susan McAndrew, OCR's deputy director of health information privacy (See: OCR's McAndrew on Enforcing HIPAA.)

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network