The Security Scrutinizer with Howard Anderson

Breach List: Good News, Bad News

Fewer Huge Cases, But Unencrypted Devices Still a Problem
Breach List: Good News, Bad News

If you take a close look at the official federal tally of major health information breaches, you'll find there's some good news and some bad news.

The good news: There hasn't been a mega-breach reported in a while, so the growth in the number of Americans affected by breaches has slowed down.

The bad news: Despite tons of news coverage about breaches, incidents involving the loss or theft of unencrypted computer devices, from laptops and desktops to USB drives, remain the most common.

About 4.9 million Americans have been affected by 166 major breaches since last September, according to the tally from the Department of Health and Human Services' Office for Civil Rights. But the top five incidents represent more than 70 percent of that total.

The most recent of those incidents involved South Shore Hospital in South Weymouth, Mass., which reported that two boxes of backup computer tapes being sent for disposal were misplaced, potentially affecting 800,000.

That case has proven controversial, because the Massachusetts attorney general has objected to the hospital's decision not to individually notify those potentially affected.

In a recent blog, I expressed hope that when federal regulators issue the final version of the breach notification rule, they will greatly clarify precisely when a breach must be reported to individuals as well as regulators.

While it's certainly good news that we haven't seen a breach affecting more than 100,000 added to the list in the past two months, it's definitely bad news that so many breaches stem from the loss or theft of unencrypted devices.

For example, 19 of the most recent 28 cases added to the list involved such a theft or loss. Since federal regulators began compiling the list of breaches affecting 500 or more individuals, about 58 percent of cases have stemmed from the theft or loss of devices.

It's worth noting, once again, that the interim final breach notification rule now in effect, as called for under the HITECH Act, created a safe harbor that states breaches involving data encrypted to a specific standard don't have to be reported.

So those nearly 100 breach incidents involving the loss or theft of devices wouldn't be on the list if only the data on the devices had been adequately protected.

Terrell Herzig, information security officer at UAB Medicine, wrote an excellent guest blog offering tips on how to protect portable devices, going far beyond the use of encryption. It's worth a close look.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.