Official Breach Tally Hits 119

The total of those affected by major breaches grew by approximately 1.5 million in the past month, primarily as a result of two large cases.

In one case, South Shore Hospital in South Weymouth, Mass. reported that unencrypted backup computer files containing personal, health and financial information on about 800,000 people may have been lost by a company that a Massachusetts Hospital hired to destroy the files. On the breach list, the business partner involved is identified as Archive Data Solutions, formerly known as Iron Mountain Data Products Inc.

In the other case, WellPoint Inc., which owns Blue Cross and Blue Shield plans in 14 states, announced in late June that it was notifying 470,000 people who applied for individual health insurance coverage that their information may have been breached on a website.

HITECH Requirements

The OCR's list contained 36 incidents when it was launched on Feb. 22.

As reported in a recent blog, OCR made several improvements in its breach list this month, including identifying private practices by name and displaying breach information in a new, searchable format. But to view the dates when each incident was added to the list requires downloading a separate spreadsheet or calling up an individual item.

Loss, Theft of Devices

Terrell Herzig, information security officer at UAB Medicine, Birmingham, Ala., suggests that healthcare organizations need to do much more to protect mobile devices and media. In a recent blog, he offered a list of 10 action items, including such steps as developing a comprehensive set of policies for portable media and devices and providing extensive staff education.

Under the HITECH breach notification rule, organizations that encrypt data in a specific way do not have to report breaches of that information.

In addition, a recently unveiled final rule setting standards for electronic health records that qualify for the new Medicare and Medicaid incentive program requires that the applications have encryption capability. But a companion rule defining how hospitals must "meaningfully use" EHRs to qualify for incentives does not specifically require the use of encryption.

Business Associates

A recently announced proposal to modify the HIPAA privacy, security and enforcement rules makes it clear that business associates and their subcontractors must comply with the rules.

"There have been so many breaches that have been the result of a lack of security controls within business associates and their subcontractors that HHS wanted to make sure they made it very clear that these organizations were responsible for HIPAA compliance," says security expert Rebecca Herold, owner of Rebecca Herold & Associates.

"The proposal makes it much clearer that the covered entities' responsibilities must go far beyond just having a business associate agreement," Herold stresses. Instead, hospitals, clinics and others must work closely with their business partners to make sure they're carefully following the HIPAA privacy and security rules, she adds.

In a recent interview, security expert Tom Walsh, president of Tom Walsh Consulting, advised business associates to take a much closer look at all their security safeguards in light of the reported breaches and the need to comply with HIPAA.

Biggest Incidents

• Avmed Health Plan alerted more than 1.2 million about a breach related to the theft of a laptop;
• BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center;
• Affinity Health Plan notified more than 400,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them;
• Emergency Healthcare Physicians Ltd. in suburban Chicago alerted more than 180,000 to a breach involving the theft of a portable hard drive at a billing service.