Major Breaches: Progress in 2011?Numbers Seem to Show a Downward Trend
Since September 2009, The Department of Health and Human Services' Office for Civil Rights, carrying out a HITECH Act mandate, has been posting major health information breach incidents to its online list once it confirms all the details. So far, the list includes 288 major incidents affecting about 11 million Americans.
But as we reported this week, only 32 incidents that have occurred in 2011 have been posted to the list (see: 11 Million Affected by Major Breaches). And although this year's incidents have affected a total of about 2.7 million, just one incident - involving insurer Health Net and its business associate IBM - accounted for 1.9 million of those.
It appears the 'wall of shame,' as it builds awareness - and bad publicity - about breaches, may be motivating more organizations to launch breach prevention strategies.
So (dare we say it?) it appears the wall of shame, as it builds awareness - and bad publicity - about breaches, may be motivating more organizations to launch breach prevention strategies. Fewer major incidents (those affecting 500 or more individuals) are being posted this year. Of course, that could change in the blink of an eye. But for now, it's good news, indeed.
The federal tally shows that about 210 major breaches occurred in 2010, affecting about 5.4 million. That's an average of 17.5 incidents per month. For the first three months of 2011, by comparison, the average is less than 9 incidents per month. (Of course, that average might change as federal authorities gather more information about more incidents).
Will that decline in breach incidents continue throughout this year, or will the tally ebb and flow? And will another mega-breach dramatically add to the total affected? We'll have to wait and see.
One thing we know for sure: The list confirms that the most common cause of breaches is the theft or loss of computer devices and media. Not hackers. Not grand conspiracies. Just unencrypted laptops, desktops, hard drives and other computer gear getting lost or stolen.
So it's time to think long and hard about whether patient information needs to be stored on any particular device. And it's time to encrypt stored information as well as e-mail. If more organizations take at least those steps, perhaps the trend toward fewer breaches will continue.