A Look at Calif. Breach ReportAG's Review Highlights Where, Why Breaches Occurred
A new breach report by the California attorney general's office re-confirms an ongoing problem.
The major culprit in the 131 breaches that affected 2.5 million total individuals in the state last year was unencrypted data. And lost or stolen unencrypted devices has been a major problem in the healthcare arena throughout the United States for years.
Physical breaches that involved lost and stolen unencrypted devices tended to be larger and affected more people on average.
In 2012, companies and state agencies in California were subject for the first time to a law requiring the reporting to the state's attorney general's office any breach involving more than 500 Californians. Although not mandated by the state, Attorney General Kamala D. Harris recently issued the state's first public report detailing those breaches.
"Data breaches are a serious threat to individuals' privacy, finances and even personal security," Harris said in a statement announcing the report. "Companies and government agencies must do more to protect people by protecting data.
"First, companies should encrypt digital personal information when moving or sending it out of their secure network," Harris said. "In 2012, encryption would have prevented reporting companies and agencies from putting over 1.4 million Californians at risk."
Of course, California isn't the only place where breaches involving unencrypted data are a problem. Month after month for the past few years, the U.S. Department of Health and Human Services' infamous "wall of shame" of breaches has been dominated by incidents involving unencrypted data, and most often mobile devices.
While only 27 percent of California's 2012 breaches - 36 in total - involved unencrypted data, those incidents were responsible for impacting more than half of the people affected, or 1.4 million individuals. Those incidents include breaches that involved lost or stolen devices, as well as misdirected e-mail that contained unencrypted personal data.
But it's the "physical" breaches that involved lost and stolen unencrypted devices that tended to be larger and affected more people on average, according to the report.
"Breaches caused by a failure to protect physical information assets affected 40,223 people on average, nearly three times the 15,656 affected in an average intrusion," the report says.
In fact, two of the five largest breaches were in this "physical" unencrypted category. We're talking about the California Department of Social Services reporting in March 2012 a lost computer storage device containing information on 845,000 parents, children, and caregivers, as well as a May 2012 breach at Emory Healthcare, which reported missing storage disks containing financial and medical information on 318,000 patients, including Californians.
Other health-related entities reporting breaches in 2012, according to the California report, included Apria Healthcare, California Department of Health Care Services, Kaiser Permanente, L.A. Care Health Plan; St. Therese Medical Group and Stanford Hospital & Clinics and School of Medicine.
Stanford's incident in August 2012, which affected 2,500 patients, involved the theft of an unencrypted computer from a physician's locked office. But that's not the only unencrypted data breach that Stanford's affiliated medical units have had over the last several years. Those other incidents include two in 2013, also involving unencrypted devices.
In fairness, Stanford appears to be learning from the mishaps. The organization has an aggressive program under way to ramp up security and privacy efforts in a number of areas, including encryption, says Bill Lazarus, information security officer at Stanford's Lucile Packard Children's Hospital (see: Fewer Health Breaches, But Same Culprit).
Good and Bad
The good news for healthcare providers is that while they were involved in a few of California's larger breaches last year, they weren't responsible for the largest number of incidents. In fact, the retail industry led the pack, with 34 breaches, or 26 percent of the total. Next was finance and insurance with 30 breaches, or 23 percent. Healthcare came in third, with 19 incidents representing 15 percent of the total.
Rounding out the remaining incidents were 11 breaches in education, and 10 breaches in government, for 8 percent each. Meanwhile, professional services had 7 incidents, or 5 percent of the total. All other sectors combined accounted for 20 breaches, or 15 percent of the total.
The lesson from this report? Healthcare entities in California and elsewhere must be aware: If you haven't found a good enough argument to get moving on your encryption programs, there are at least 1.5 million good reasons to do that soon. Under the HIPAA Omnibus Rule, HIPAA non-compliance penalties rise to a maximum of $1.5 million per violation. The compliance deadline for the rule is Sept. 23 - just over two months from now.
It seems California state enforcement and regulations related to encryption could be getting tougher soon too, by the sound of the AG's report:
"The Attorney General's Office will make it an enforcement priority to investigate breaches involving unencrypted personal information, and encourages our allied law enforcement agencies to similarly prioritize these investigations," the report says. "We also recommend enacting a law to require the use of encryption to protect personal information on portable devices and media and in e-mail."
So, really, it doesn't matter what state you're located in; healthcare entities everywhere need to make encryption a top priority if they can't justify another sound way to prevent data breaches, especially those involving mobile gear.
Let this 2012 report be a fair warning about how to keep your organization's name out of 2013's breach totals.