Breach Tally Hits 166 Incidents

4.9 Million Americans Now Affected
Breach Tally Hits 166 Incidents
Although 28 incidents were added to the official federal tally of major healthcare information breaches in the past month, none grabbed headlines for their size. But two-thirds of the new cases involved the theft or loss of unencrypted computer devices.

The 28 new cases affected a combined total of 141,000 individuals. By comparison, 19 incidents affecting 257,000 were added in the previous month.

As of Sept. 23, the official federal tally stood at 166 incidents affecting 4.9 million. The Department of Health and Human Services' Office for Civil Rights began posting incidents to its breach list on Feb. 22 for cases dating back to last September. The list was mandated by the HITECH Act.

So far, 58 percent of all cases have involved the theft or loss of an unencrypted computer device. In the past month, 19 of the 28 cases reflected such a theft or loss, including nine incidents involving laptops, five involving desktop PCs and seven involving other "portable electronic devices" (some cases involved more than one type of device).

Reporting Requirements

Under the HITECH Act's interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected, within 60 days. The rule includes a "safe harbor" that exempts the reporting of breaches of data that was encrypted using a specified standard.

A final breach notification rule, which could further clarify exactly what types of incidents need to be reported, is still in the works.

So far, 32 incidents on the federal list, or roughly 19 percent, have involved business associates -- vendors that have contracts with healthcare organizations and have access to protected health information.

A recently announced proposal to modify the HIPAA privacy, security and enforcement rules makes it even more clear that business associates, as well as their subcontractors, must comply with the rules.

Dumping Case

One recent case, which has not yet been fully reflected on the federal tally, involved the dumping of thousands of unshredded paper records from pathology practices in Massachusetts.

So far, the federal breach tally lists only one of the four hospitals apparently affected. Holyoke Medical Center reported to federal authorities that 24,750 of its patients served by the pathology practices might have had records involved.

The biggest incident reported to federal authorities in the past three months involved South Shore Hospital, which reported a breach involving the loss of backup computer tapes that could affect 800,000. The Massachusetts attorney general has objected to the hospital's decision not to individually notify those potentially affected.

Among the other large breaches on the federal tally are:

  • Avmed Health Plan alerted more than 1.2 million about a breach related to the theft of a laptop.
  • BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
  • Affinity Health Plan notified about 345,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.
  • Emergency Healthcare Physicians Ltd. in suburban Chicago alerted more than 180,000 to a breach involving the theft of a portable hard drive at a billing service.

Minimizing Risk

Healthcare organizations should identify multiple steps for addressing the risks that could lead to a costly breach of information, says Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance. In a recent interview, Hourihan outlined key steps, including:

  • Conducting a detailed risk analysis;
  • Encrypting mobile devices and media as well as desktop computers;
  • Working with business associates to ensure they take adequate security steps;
  • Educating staff about security procedures and the reasons behind them;
  • Investigating whether to limit the amount of patient information stored on mobile and desktop devices;
  • Requiring vendors that remotely host electronic health records to spell out their approach to access control, vulnerability management and other security strategies;
  • Guarding against data loss, such as by banning file sharing programs on computers.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.