Breach List Update: Tally ChangesWellPoint Slashes Estimate of Breach Impact
The total tally of individuals affected is lower than it was a month ago as a result of a continuing investigation into a breach at a WellPoint Inc. website dating back to last November. When that incident was first posted to the official federal breach list on June 29, the total of those notified was 480,000. But now the official tally lists the number of individuals potentially affected as 31,700, based on WellPoint's continuing investigation.
In the past 30 days, about 19 new major breach cases affecting a total more than 250,000 individuals were reported to the Department of Health and Human Services' Office for Civil Rights. A month ago, the breach list showed that about 5 million Americans had been affected, including all those originally notified of the WellPoint incident. On Aug. 23, with the new incidents added and Wellpoint's impact downsized, the total stood at 4.76 million.
Why the Change?In the WellPoint incident, the insurer became aware of the website breach March 8, when it was notified that an insurance applicant had filed a class action suit claiming her applicant information, and that of others, was readily accessible to site visitors, said Roy Mellinger, WellPoint's vice president of information technology security and chief information security officer.
The incident was the result of a temporary glitch during an upgrade to a system that WellPoint offers enrollees to track the status of their application, Mellinger told HealthcareInfoSecurity in June.
WellPoint then, in consultation with the HHS Office for Civil Rights, decided "out of an abundance of caution" to notify all of the approximately 480,000 applicants in its database about the breach and offer them a year's worth of free credit and identity protection services, a company spokesman re-confirmed Aug. 23.
Later, after the notifications were sent out, WellPoint reviewed information that had been placed in escrow by the court and was able to pinpoint that only about 31,700 consumers had their information placed at risk as a result of the website glitch, the spokesman said. The insurer, however, still has no evidence that the information has been misused.
The HHS Office for Civil Rights acknowledged that WellPoint submitted an addendum to its original breach notification "which modified the number of individuals impacted by the breach." But the office would not offer further comment on why it lowered the total on its list.
Reporting RequirementsUnder the HITECH Act's breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected within 60 days.
About 57 percent of the incidents reported so far involve the theft or loss of computer devices, including laptops, USB flash drives, CDs and hard drives.
So far, 28 incidents, or roughly 20 percent, have involved business associates, vendors that have contracts with healthcare organizations and have access to protected health information.
A recently announced proposal to modify the HIPAA privacy, security and enforcement rules makes it even more clear that business associates, as well as their subcontractors, must comply with the rules.
Biggest IncidentsThe five largest incidents reported so far are:
- Avmed Health Plan alerted more than 1.2 million about a breach related to the theft of a laptop.
- BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
- South Shore Hospital in South Weymouth, Mass., reported that unencrypted backup computer files containing information on about 8000,000 people apparently were lost when they were being shipped to another site for destruction.
- Affinity Health Plan notified about 345,000 (originally estimated at 409,000) about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.
- Emergency Healthcare Physicians Ltd. in suburban Chicago alerted more than 180,000 to a breach involving the theft of a portable hard drive at a billing service.
Other BreachesIn addition to the major breaches reported so far, the HHS Office for Civil Rights received more than 7,500 reports of breaches affecting less than 500 individuals as of mid-July, said Adam Greene, senior health information technology and privacy specialist at the HHS Office for Civil Rights, at an Aug. 16 conference. Many of those smaller cases, he said, involved paper records and fax machines. He urged hospitals and clinics to take steps to make sure that faxed records wind up at the appropriate destination. Because so many of the major breaches reported so far have involved the theft or loss of unencrypted portable computers and media, Greene reminded hospitals and clinics to make widespread use of encryption.
Steps to TakeTo help minimize the risk of breaches, hospitals and clinics should carefully review and update their records management policies and procedures. That's the advice from Jack Rovner and Kathryn Roe, principals at The Health Law Consultancy, Chicago. In addition to widespread use of encryption, key steps, the attorneys say, include:
- Determining what protected health information the organization has and where it is kept;
- Controlling where the information can be stored and restricting when it can be transferred to portable devices and media. "Be out in front on this issue so that an employee can't say, 'well it wasn't prohibited so I thought it was OK,'" Roe says;
- Retaining information for the appropriate time period to minimize the risk of a breach of old data. Information should be retained only as long as required by state law, by contract or by business needs, Roe adds;
- Destroying or de-identifying information no longer needed.