Breach List Grows to 52
Most involve theft or loss
Of the breaches reported so far, 75 percent have involved the theft or loss of a device, such as a laptop, or paper records.
The Office for Civil Rights within the U.S. Department of Health and Human Services is regularly updating on its Web site a list of organizations that have notified HHS about a breach of unsecured health information involving more than 500 individuals. The list is for incidents since September 2009, when new reporting requirements kicked in.
Under the HITECH Act's breach notification rule, such incidents must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually.
To view the list, click here.
Only one hacker
Only one hacking incident is on the list. That Dec. 8, 2009, incident at a private practice in Wilmington, N.C., affected 2,000 individuals. Also, only one phishing scam is listed; that case affected 610 at the University of California, San Francisco, on Sept. 22, 2009.
Two of the most recently added breaches are:
- The theft of a laptop Feb. 20 at Montefiore Medical Center in New York, affecting 625;
- The theft of a portable electronic device Feb. 20 at a private practice in San Antonio, Texas.
Seven of the incidents on the list are identified only as "private practices" without specifying the name of the organization. "Under current Privacy Act provisions, the Office for Civil Rights may not disclose the names or other identifying information about private practitioners without their written consent," the OCR said in a recent statement.
Difficult to find?
Some observers have questioned why the list is displayed deep within the OCR Web site. For a story on those concerns, click here.
OCR adds new breaches to the site once they are verified by regional offices. They are listed in order by the date of the incident, so it's not easy to pinpoint which cases are newly added. For example, one case dating back to October was added within the last two weeks.
