5 Million Affected by Health BreachesFederal Tally Includes 186 Major Health Information Incidents
Twenty incidents affecting a total of about 117,000 individuals were added to the list in the past month, bringing the total to 186 major breaches. That compares to 28 cases affecting 140,000 added in the previous month.
Half the cases added in the past month involved the theft or loss of unencrypted computer devices; 57 percent of all incidents so far have stemmed from this cause.
Federal Breach ScorecardThe Department of Health and Human Services' Office for Civil Rights began posting incidents to its breach list on Feb. 22 for cases dating back to last September. The list was mandated by the HITECH Act.
Under the HITECH Act's interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected, within 60 days.
A final breach notification rule, which could further clarify exactly what types of incidents need to be reported, is still in the works.
Medicaid BreachAlthough there have been no huge breach incidents added to the list in recent weeks, a Medicaid breach case revealed this week has yet to make it to the federal tally. In that case, Mercy Health Plan and AmeriHealth Mercy Health Plan, two affiliated insurance plans serving Medicaid patients in Pennsylvania, reported the loss of an unencrypted portal flash drive with information on 280,000 members.
Two hacking incidents were added to the list in the past month, bringing the total number of incidents that federal officials describe as involving hacking, at least in part, to about 11.
In one recent incident, the University of Oklahoma's Tulsa neurology practice notified more than 19,000 patients that one of its computers was infected by malware capable of retrieving data. The computer contained patient names, addresses, Social Security numbers, birth dates and a variety of healthcare information. The other case, at New York Presbyterian Hospital/Columbia University Medical Center, involved what federal officials listed as the hacking of a network server and affected 6,800 individuals. The organization, however, described the case as involving information that was inadvertently exposed on a webpage.
So far, roughly 21 percent of the breach incidents reported have involved business associates -- vendors that have contracts with healthcare organizations and have access to protected health information.
A recently announced proposal to modify the HIPAA privacy, security and enforcement rules makes it even more clear that business associates, as well as their subcontractors, must comply with the rules.
Largest Health Information BreachesThe biggest incident reported to federal authorities in the past four months involved South Shore Hospital, which reported a breach involving the loss of backup computer tapes that could affect 800,000. The Massachusetts attorney general has objected to the hospital's decision not to individually notify those potentially affected.
Among the other large breaches on the federal tally are:
- Avmed Health Plan alerted more than 1.2 million about a health information breach related to the theft of a laptop.
- BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
- Affinity Health Plan notified about 345,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.
- Emergency Healthcare Physicians Ltd. in suburban Chicago alerted more than 180,000 to a breach involving the theft of a portable hard drive at a billing service.
The Role of EncryptionBecause so many breaches have involved the loss or theft of computer devices, many experts advise healthcare organizations to make broader use of encryption. The breach notification rule includes a "safe harbor" that exempts the reporting of breaches of data that was encrypted using a specified standard.
But healthcare organizations need to develop a better understanding of how encryption fits as one of many components in a broad security strategy, says Mac McMillan, CEO at CynergisTek.
In a recent interview, McMillan noted that many organizations have been reluctant to adopt encryption, citing concerns about the cost and the potential adverse impact on system performance. To address these concerns, hospitals and other organizations need to take steps to implement encryption in a targeted way, he suggests. He advises organizations that want to minimize the risk of major breaches to:
- Assess where patient information resides, such as on laptops, desktops, smart phones, USB drives and databases, and determine who can access the data;
- Determine whether to limit the number of places where patient information resides, such as, for example, by switching from desktop PCs to thin clients without storage capabilities;
- Adopt segmentation of networks, other access controls and data loss prevention software;
- Apply encryption only for devices and data for which there is no other acceptable control mechanism.