Health Breaches: 5.35 Million Affected

Fewer Incidents in Past Month, But One Was Large
Health Breaches: 5.35 Million Affected
There was good news and bad news in the past month about the official federal tally of major health information breaches. While only six new incidents were added to the tally -- far fewer than in previous months -- one of those cases affected more than 280,000 individuals.

The tally from the Department of Health and Human Services' Office for Civil Rights now stands at 192 incidents since September 2009, affecting a total of 5.35 million Americans.

Keystone/AmeriHealth Mercy Health Plans recently reported a health information breach involving the loss of an unencrypted flash drive that potentially affected 286,000 individuals. The flash drive included health ID numbers and certain health information on all the patients, plus the last four digits of 801 members' Social Security numbers and complete Social Security numbers for seven others, the Medicaid plans reported. The health plans, which serve a total of 400,000 members, offered free credit monitoring to those whose Social Security numbers, either in whole or in part, were on the drive.

With 286,000 notified, the Keystone/AmeriHealth incident is the fifth largest breach notification so far under the HITECH Act's interim final breach notification rule.

Fewer Breach Incidents

The low number of incidents reported since Oct. 22 continues a downward trend. There were 20 incidents added the previous month and 28 the month before that.

Of the six incidents reported, which affected a total of about 304,000, three involved the loss or theft of a computer device. About 57 percent of all incidents reported to authorities so far have had this cause.

In a presentation earlier this month, Adam Greene, senior health IT and privacy specialist at the Office for Civil Rights, noted that the most common location for breaches so far is laptops, representing 24 percent of cases. Paper records have been involved in 22 percent of cases, desktop computers in 16 percent and portable electronic devices in 14 percent. And 52 percent of all cases involve theft, making that the leading cause overall.

Federal Breach Scorecard

The Department of Health and Human Services' Office for Civil Rights began posting incidents to its breach list on Feb. 22 for cases dating back to last September. The list was mandated by the HITECH Act.

Under the HITECH Act's interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected, within 60 days.

A final breach notification rule, which could further clarify exactly what types of incidents need to be reported, is still in the works.

So far, roughly 20 percent of the breach incidents reported have involved business associates -- vendors that have contracts with healthcare organizations and have access to protected health information. None of the six incidents added in the past month involved a business associate.

A recently announced proposal to modify the HIPAA privacy, security and enforcement rules makes it even more clear that business associates, as well as their subcontractors, must comply with the rules.

Largest Health Information Breaches

In addition to the Keystone/Amerihealth incident, the largest breaches on the federal tally are:

  • AvMed Health Plan alerted more than 1.2 million about a breach related to the theft of a laptop.
  • BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
  • South Shore Hospital reported a breach involving the loss of backup computer tapes that could affect 800,000.
  • Affinity Health Plan notified about 345,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.