Breach List: Thefts, Losses Dominate

77 major incidents reported to feds
Breach List: Thefts, Losses Dominate
The list of major healthcare breaches reported to federal authorities now stands at 77, with about 70 percent stemming from the theft or loss of a computer device or paper records.

More than 60 percent of the incidents, all of which affected more than 500 individuals, involve the theft or loss of a device, such as a laptops, USB flash drives, CDs or hard drives. About 10 percent involve the theft or loss of paper records.

Other incidents have a wide variety of causes, ranging from mailing errors to unauthorized access to records or e-mails. Only one phishing incident has been reported, and there have been no reports of a massive hacker attack. About a dozen cases simply list "other" as the cause.

Action needed

The list points to the need for healthcare organizations to intensify their efforts to keep mobile devices secure, experts say.

Under the HITECH Act breach notification rule, major breaches must be reported to the HHS Office for Civil Rights and the news media as well as the individuals affected within 60 days. The OCR began compiling the breach list in February, tracking incidents beginning last September.

So far, February has been the biggest month for major breaches, with 19 reported. About 14 cases involve breaches at business associates, such as a billing service or a software company.

Biggest cases

Among the largest incidents reported so far are:

BlueCross BlueShield of Tennessee alerted nearly 1 million individuals to a breach stemming from the theft of 57 hard drives from a closed call center.

Affinity Health Plan notified over 400,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.

Avmed Health Plan alerted more than 200,000 about a breach related to the theft of two laptops.

Since launching the list, OCR has not displayed the names of solo practitioners who have experienced major breaches, listing them only as "private practice." But that is slated to change later this month, thanks to a shift in policy recently announced in the Federal Register, which will enable the naming of the physicians involved.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.