Breach Tally Surpasses 19 MillionSutter Health Incident Finally Added to List
With the tardy addition of the Sutter Health breach, the federal "wall of shame" tally of major healthcare information breaches now includes 385 incidents affecting more than 19 million individuals since September 2009.
The Department of Health and Human Services' Office for Civil Rights recently added the Sutter Health breach, which occurred in October, to its official tally of breaches affecting 500 or more individuals. It adds incidents once it confirms the details.
Healthcare information on 943,000 individuals was on an unencrypted desktop computer that was stolen in October from a Sutter facility in California; that total is reflected in the official federal healthcare breach tally. But in announcing the breach, Sutter Health noted that two databases with information on 4.2 million patients were on the device.
A database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units, held only limited demographic information on about 3.3 million patients collected from 1995 through January 2011. The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.
Sutter Health faces two class action lawsuits in the wake of the breach.
Breach List Update
In addition to adding the Sutter Health incident, federal officials added five much smaller incidents to the official breach tally in the past month.
Of the 385 incidents affecting 500 or more individuals that are now included in the official tally after being reported to authorities as required under the HIPAA breach notification rule, roughly 55 percent have involved lost or stolen unencrypted electronic devices or media. About 22 percent have involved a business associate.
The interim final version of the HIPAA breach notification rule, which became effective in September 2009, requires healthcare organizations to notify those affected by breaches of any size. Major incidents must be reported to the HHS Office for Civil Rights within 60 days. Smaller breaches must be report to the office annually.
A final version of the rule could further clarify exactly what types of incidents need to be reported. It's expected in the coming months as part of an "omnibus" package of several rules. The interim final version now in effect contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.
Minnesota Breach Lawsuit
In other healthcare breach news, Minnesota Attorney General Lori Swanson has announced a lawsuit against Accretive Health Inc., a debt collection agency, for its role in a breach incident affecting about 20,000 patients at two hospitals in the state. An unencrypted laptop was stolen from the parked rental car of an Accretive employee. It contained healthcare information, as well as some Social Security numbers and other personal data, on patients treated at Fairview Health Services and North Memorial Health Care.
The suit alleges Accretive violated state and federal health privacy laws, as well as other laws, in the breach incident. It seeks an injunction restricting how Accretive uses patient data and holding the company accountable for its violations of the laws.
To help prevent breaches, mobile devices should be routinely encrypted even if storage of sensitive information on them is prohibited, says security expert Melodi Mosley Gates (see: Tips for Encrypting Mobile Devices).
"Even with the best of intentions, and the most technically enforced policy, a ban for putting sensitive information on mobile devices is probably not going to be 100 percent effective," the attorney contends. That's because all mobile devices enable users to enter data and to receive e-mails that may, in some cases, contain sensitive information.
As a result, her advice is to "have a policy in place that minimizes the amount of sensitive information that can land on mobile devices and still encrypt mobile devices." Although this approach "may feel like a belt and suspenders," it's the best way to minimize the risk of data breaches involving tablets, smart phones, laptops and other mobile devices, which can easily be lost or stolen, Gates says.