Health Data Breach Trends: An Analysis
Will Breaches Spike With HIPAA Rule Changes?In the past month, the Department of Health and Human Services has added only a handful of breaches to its "Wall of Shame" website of breaches affecting 500 or more individuals. Most of 2013 breaches added to the tally so far have been relatively small breaches, at least compared to some eye-poppers of the past.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
But don't be misled: There are a few whoppers likely headed to the federal tally soon, based on some recent cases that have surfaced over the past several weeks. Those include: A breach at the Texas Health Harris Methodist Hospital Fort Worth, which may have affected up to 277,000 patients; and an incident at the Indiana Family and Social Services Administration, which may have impacted up to 188,000.
The HHS Office for Civil Rights adds breaches to the tally once it confirms the details. (Note that the office added a 2012 incident in late June.) So the total number of individuals affected by breaches in 2013 could potentially triple once those incidents in Texas and Indiana are added, assuming the investigations confirm the numbers.
Breach Surprises
What's surprising is that the two biggest healthcare breaches to grab headlines this year - and likely to grab a spot on the federal tally - aren't the typical lost or stolen unencryptedlaptop or storage disk incidents. Rather, those breaches involved improper disposal of records and improper disclosure. And both involved business associates.
In the Texas Health breach, decades-old microfiche medical records that were slated for destruction by a contractor were found intact in a public dumpster in a park.
And in the Indiana incident, the state agency, which administers Indiana's Medicaid program, notified almost 188,000 clients this month that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate.
The Texas breach serves as a reminder about safeguarding old records even when they're slated for destruction. The Indiana incident illustrates how computer errors - maybe a technical glitch or maybe a human mistake - can also result in breaches.
But both incidents should also remind covered entities to be watchful of their business associates and the precautions those partners take in protecting protected health information.
Once the Sept. 23 enforcement deadline for HIPAA Omnibus Rule hits, business associates will be directly liable for HIPAA compliance, including potential HHS penalties for breaches, which can soar up to $1.5 million per violation.
Latest Breach Statistics
Business associates have been involved in about 22 percent of the 627 breaches that have made it to the HHS wall of shame from September 2009 through this week. Those breaches have affected a total of about 22.2 million individuals.
In the last month, federal authorities have added only seven breaches affecting a total of 31,000 individuals to that tally. So far, the tally includes 48 breaches in 2013 affecting a total of about 205,000 individuals. By comparison, the tally includes about 150 breaches in 2012 affecting about 1.7 million.
One thing that hasn't changed: The No. 1 cause of breaches continues to be lost or stolen unencrypted devices and media. It's amazing that so many breaches still involve unencrypted devices. The importance of encryption should top-of-mind by now, given all the publicity about breaches since 2009. But perhaps these continuing breaches are proof of just how difficult it is to manage mobile devices, especially as BYOD proliferates.
What will happen to the breach tally once the beefed-up breach notification requirements under the HIPAA Omnibus Rule are enforced in September? I'm predicting we'll see a spike of reported breaches, at least for a while, especially those involving business associates.
What are your predictions about changes in the frequency, size and nature of reported breaches once enforcement of the HIPAA Omnibus rule kicks in? Add your comments in the space below.