Breach Tally: 18 Million and CountingNumber Affected by Healthcare Breaches Continues to Grow
As the year draws to a close, the federal "wall of shame" tally of major healthcare information breaches lists 380 incidents affecting slightly more than 18 million individuals since September 2009. But that tally could grow by more than 4 million more individuals once a breach at Sutter Health is added.
Meanwhile, yet another class action lawsuit has been filed in the wake of a breach, this one against the University of California at Los Angeles Health System.
Missing From the List
The Department of Health and Human Services' Office for Civil Rights has yet to add the Sutter Health breach, which occurred in October, to its official tally of breaches affecting 500 or more individuals. It adds incidents once it confirms the details.
Sutter Health already faces two class action lawsuits in the wake of the breach involving the theft of an unencrypted desktop computer containing information on 4.2 million patients.
The stolen computer contained a database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units. That database held limited demographic information on about 3.3 million patients collected from 1995 through January 2011. The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.
The latest class action lawsuit filed after a healthcare breach demonstrates that a breach does not have to be huge to prompt legal action.
The lawsuit against UCLA Health System, filed Dec. 14, seeks $1,000 in damages for each of the 16,000 individuals affected by the theft of an external computer hard drive, alleging violations of a state patient confidentiality law, according to multiple news media reports.
The breach stemmed from the Sept. 6 burglary at the home of an employee who left UCLA's staff in July. "Although the information on the hard drive was encrypted, the password necessary to unscramble the information was written on a piece of paper near the hard drive and cannot be located," according to a statement from the medical center. Information on the drive, UCLA reported, may have included patient names, birth dates, medical record numbers, addresses and medical record information. Social Security numbers and financial information were not stored on the device.
In July, UCLA Health System entered a resolution agreement with the Department of Health and Human Services' Office for Civil Rights in a separate case involving a series of records snooping incidents. The agreement called for the payment of an $865,000 fine plus implementation of a corrective action plan (see: UCLA Health System Fined $865,000).
In addition to UCLA and Sutter Health, organizations facing class action lawsuits after a breach include TRICARE, the military health program; Stanford Hospital and Clinics; and insurers Health Net and WellPoint (see: More Breach Class Action Lawsuits Filed).
The Latest Tally
In the past month, only eight incidents affecting a total of 74,000 individuals have been added to the official federal tally.
Of the 380 incidents affecting 500 more individuals that have been placed on the official tally after being reported to authorities as required under the HIPAA breach notification rule, more than half have involved lost or stolen electronic devices or media. About 22 percent have involved a business associate.
In addition to the Sutter incident, the biggest healthcare breaches in 2011, in terms of the number of individuals affected, that have been confirmed by federal authorities so far are:
Five members of Congress have launched an investigation into a breach affecting 4.9 million beneficiaries of TRICARE, the military healthcare program.
The breach occurred in September when unencrypted backup tapes were stolen from the parked car of an employee of a TRICARE business associate, Science Applications International Corp.
The TRICARE incident is the largest breach reported to federal authorities so far since the HIPAA breach notification rule took effect in September 2009.
Federal authorities plus at least four state agencies have launched investigations of a breach affecting 1.9 million enrollees of Health Net, an insurance company. A class action lawsuit also was filed in the case, which involved nine server drives that were discovered missing in January from a California data center managed by IBM.
In 2009, Health Net reported another breach affecting 1.5 million nationwide that involved the loss of a computer disk drive. That case resulted in three state fines.
The children's health system offered about 1.6 million individuals one year's worth of free credit monitoring and identity theft protection following an August breach incident stemming from the loss of three unencrypted backup tapes.
Patient billing and employee payroll information on the tapes, missing from a Wilmington, Del., facility owned by Nemours, included names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information. Nemours reported the backup tapes were stored in a locked cabinet, and the cabinet and tapes were reported missing Sept. 8. They are believed to have been removed about Aug. 10 during a facility remodeling project.
The Rancho Mirage, Calif.-based hospital notified more than 514,000 patients of a March breach of a limited amount of personal information stemming from the theft of an unencrypted computer. The computer contained a patient index backup file that included patient names, ages, dates of birth, the last four digits of Social Security numbers and the hospital's medical records numbers. It did not contain other health or financial information.