Congress Gets Health Breach Update
7.9 Million Affected by Nearly 31,000 Incidents in 2009-2010The report from the Department of Health and Human Services' Office for Civil Rights shows about 7.8 million individuals were affected by 252 major breaches (incidents affecting 500 or more). In addition, about 62,000 individuals were affected by 30,521 smaller incidents.
OCR reveals in the report that it has closed its investigation of only about 30 percent of the larger incidents, confirming that corrective action is complete.
The office regularly updates a list of major healthcare information breaches on its website. That "wall of shame" now shows 314 major breaches from September 2009 to July 2011, affecting a total of almost 11.7 million individuals.
Under the HITECH Act, enacted in early 2009 as part of the economic stimulus package, OCR was required to provide Congress with annual updates about breach reports it receives as a result of the HITECH-mandated breach notification rule. This week's report, however, is the first OCR has submitted to Congress.
Under the breach notification rule, organizations must report larger breaches to OCR within 60 days; smaller breaches can be reported to the office annually. Breaches of all sizes must be reported to the individuals affected within 60 days. But incidents involving information that has been encrypted using a specific standard, however, do not have to be reported.
Most Investigations Continuing
OCR investigates all breach incidents affecting 500 or more individuals. In its report to Congress, OCR reveals that it has closed its investigation of only about 76 of the 252 major breaches reported in 2009 and 2010 after determining the organization had taken corrective action to address "the underlying cause of the breach so as to avoid future incidents and mitigated any potential harm to affected individuals." In the remaining cases, OCR is continuing to work with the organizations to ensure appropriate corrective action is taken.The most common remedial action taken in the wake of a major breach, according to OCR, has been revising policies and procedures. Other common steps have been improving physical security, providing additional training to workforce members, and providing free credit monitoring to those affected. Also, for the 131 breaches that involved the theft or loss of electronic information, "about 50 percent of the reports indicated that encryption technologies were being implemented as a remedial step to avoid future breaches," the report states.
Breach Incident Details
Because statistics about larger incidents have been readily available on the OCR website, the report to Congress contains few new details. It confirms that most common causes of larger breaches have been the theft or loss of electronic information or paper records.But the report reveals for the first time the nature of the smaller incidents. "The majority of small breach reports in 2009 and 2010 involved misdirected communications and affected just one individual each," according to the report. "Often, a clinical or claims record of one individual was mistakenly mailed or faxed to another individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong patient record, e-mails were sent to the wrong address and member ID cards were mailed to the wrong individuals."
In response to these smaller incidents, organizations generally took such actions as fixing glitches in software that incorrectly compiled lists of patient names and contact information, revising policies and procedures or training employees who handled protected health information.