Healthcare Breaches: A New Top 5
All Incidents Involved Missing or Stolen Devices, MediaThe TRICARE incident is not yet included in the Department of Health and Human Services' Office for Civil Rights' official tally of major health information breaches. That list now shows there have been 330 breaches, affecting a total of about 11.8 million individuals, confirmed since September 2009, when the breach notification rule took effect (see: 2 Years of Breaches: An Assessment).
All of the top five breaches have involved missing or stolen computer devices or media, including backup tapes, server drives and a laptop.
Security specialist Tom Walsh, president of Tom Walsh Consulting, points out that most breaches "could have been prevented with encryption of media and mobile devices."
Three of the five largest breaches, including TRICARE, involved business associates. As a result, healthcare organizations need to make sure that their vendor partners take adequate security precautions, says Adam Greene, a partner at the Washington law firm Davis Wright Tremaine LLP.
Here's a summary of the top five health information breaches reported since September 2009:
- TRICARE: About 4.9 million patients treated in San Antonio area military treatment facilities since 1992 were affected. Science Applications International Corp., one of TRICARE's business associates, reported the breach to TRICARE on Sept. 14. The incident involved backup tapes stolen from a car.
- Health Net: The insurer notified 1.9 million individuals nationwide that healthcare and personal information may have been breached as a result of nine server drives discovered missing from a California data center managed by IBM. Health Net said IBM, the insurer's vendor responsible for managing IT infrastructure, notified the company in January that the drivers were missing from a data center in Rancho Cordova, Calif.
- The New York City Health and Hospitals Corp.: This breach, which affected 1.7 million individuals, stemmed from computer backup tapes that were stolen in December 2010 from a business associate's truck. An employee of the business associate, GRM Information Management Services, was transporting the tapes to a secure storage location.
- AvMed Health Plans: This December 2009 breach was caused by the theft of an unencrypted laptop, which may have included information on more than 1.2 million current and former members.
- BlueCross BlueShield of Tennessee: In October 2009, 57 unencrypted hard drives containing information on about 1 million individuals were stolen from a leased facility that formerly housed a call center for the insurer. The company was in the process of moving out of the facility, where several employees still worked.
One of the largest breaches in history occurred back in 2006 when a Department of Veterans Affairs employee's unencrypted laptop, containing information on 26.5 million veterans, was stolen. The incident led the VA to encrypt all laptops.