25 Health Breaches Added to Tally489 Incidents Reported Since 2009
Twenty-five incidents affecting 215,000 individuals were added over the past month to the federal tally of major healthcare information breaches. That bumps up the total to 489 breaches affecting 21 million individuals since September 2009.
The largest incident added since late July is a breach at Memorial Healthcare System in Hollywood, Fla., involving improper access to 102,000 electronic health records.
The past month was the second in a row with a substantial number of breaches added to the federal tally after a lull during the late spring when no new breaches were added to the list for several weeks (see: Health Breaches: 20.8 Million Affected). A spokeswoman for the Department of Health and Human Services' Office for Civil Rights, which compiles the breach list, said last month that department web specialists were catching up with breach postings after being delayed on other projects.
OCR began tracking breaches affecting 500 or more individuals in September 2009 when the HITECH Act-mandated HIPAA breach notification rule went into effect.
A final version of the breach notification rule, to replace the interim final version now in effect, is long overdue. Federal officials have said it will be issued later this summer as part of an omnibus package of regulations that also will include HIPAA modifications. But the package awaits final approval from the White House Office of Management and Budget, which announced in June it was extending its latest review. An OCR spokeswoman declined to comment on the status of the regulations.
So far, about 79 breaches that occurred in 2012, affecting nearly 1.9 million individuals, have been added to the federal tally.
The loss or theft of unencrypted computing devices or storage media remains the No. 1 cause of breaches - about 53 percent of all breaches reported since September 2009 stemmed from this cause. Eleven breaches of this nature were added to the tally in the past month.
Business associates have been involved in 21 percent of major breaches, including six cases added in recent weeks.
The largest of the breaches added to the OCR tally in the past month - the Memorial Healthcare System incident - involved unauthorized records access that occurred from Jan. 1, 2011, to July 5, 2012.
A statement posted July 11 on Memorial Healthcare site's website explains: "As part of an ongoing review of our patient information systems which commenced on April 27, 2012, we discovered that an employee of an affiliated physician's office may have improperly accessed patient information through a web portal used by physicians who provide care and treatment at MHS."
The notice says patients' names, dates of birth, and Social Security numbers may have been accessed during 2011 and 2012. No medical records were changed or deleted.
"During our investigation, we immediately contacted law enforcement and began a comprehensive review of our patient information systems to determine if other similar incidents may have occurred," the statement says. "Law enforcement investigators asked that we withhold notification or public announcement of this incident until now. The law enforcement hold has been lifted, and we are notifying our patients as quickly as possible."
Letters to potentially affected patients were sent out starting July 11, although the statement does not indicate how many patients were affected. Officials with the organization did not offer further details.
In another recent incident involving unauthorized access to records, federal authorities this month arrested a former Florida Hospital Celebration emergency department staffer who was charged with HIPAA violations related to alleged unauthorized access to 760,000 patient records and the sale of protected health information about more than 12,000 accident victims.
Some healthcare providers are successfully clamping down on unauthorized access to records by using detailed records access audits.
For instance, since it implemented more rigorous audits, St. Dominic-Jackson Memorial Hospital in Mississippi has reduced incidents of inappropriate access from 50 a month to fewer than one or two incidents every couple of months, says Dena Boggan, HIPAA privacy/security officer. The hospital uses an access monitoring system from Fairwarning that provides alerts and daily reports on incidents of inappropriate access.
The application allows the hospital to audit user activity simultaneously across all audit sources, or systems containing electronic protected health information, Boggan says. "Automated reporting alerts you to potential inappropriate activity within hours of occurrence, versus days, weeks, or months after occurrence," she says. "This is vital for detecting possible breaches quickly, so subsequent investigations can be launched in a timelier manner."
The hospital provides training to those involved in the incidents or imposes sanctions, depending on the nature of the violations.
Other Major Breaches
Other large 2012 breaches that have been added to the federal tally so far include:
- A February Emory Healthcare breach involving 10 missing computer disks, which affected 315,000.
- An April South Carolina Department of Health and Human Services breach, affecting 228,000 Medicaid recipients. That case involved a now-fired employee who was arrested for allegedly transferring patient information to his personal e-mail account.
- A March Utah Department of Health hacking incident that affected 780,000 individuals, including 280,000 who had their Social Security numbers exposed.