Breach List: Thefts, Losses Dominate77 major incidents reported to feds
More than 60 percent of the incidents, all of which affected more than 500 individuals, involve the theft or loss of a device, such as a laptops, USB flash drives, CDs or hard drives. About 10 percent involve the theft or loss of paper records.
Other incidents have a wide variety of causes, ranging from mailing errors to unauthorized access to records or e-mails. Only one phishing incident has been reported, and there have been no reports of a massive hacker attack. About a dozen cases simply list "other" as the cause.
The list points to the need for healthcare organizations to intensify their efforts to keep mobile devices secure, experts say.
Under the HITECH Act breach notification rule, major breaches must be reported to the HHS Office for Civil Rights and the news media as well as the individuals affected within 60 days. The OCR began compiling the breach list in February, tracking incidents beginning last September.
So far, February has been the biggest month for major breaches, with 19 reported. About 14 cases involve breaches at business associates, such as a billing service or a software company.
Among the largest incidents reported so far are:
BlueCross BlueShield of Tennessee alerted nearly 1 million individuals to a breach stemming from the theft of 57 hard drives from a closed call center.
Affinity Health Plan notified over 400,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.
Avmed Health Plan alerted more than 200,000 about a breach related to the theft of two laptops.
Since launching the list, OCR has not displayed the names of solo practitioners who have experienced major breaches, listing them only as "private practice." But that is slated to change later this month, thanks to a shift in policy recently announced in the Federal Register, which will enable the naming of the physicians involved.