Far More Health Breach Victims in 2013Handful of Mega-Breaches Are to Blame
More than twice as many individuals have been affected by healthcare data breaches in 2013 than in 2012. And the main reason is a handful of mega-breaches this year, the current federal tally shows.
But three recent large breaches that grabbed headlines have not yet made it to the tally. If the total number of individuals affected in those incidents is confirmed, the official 2013 tally of breach victims could surge by almost 1 million.
The Department of Health and Human Services' Office for Civil Rights continually adds breaches to its "wall of shame" tally as it confirms details.
A Dec. 20 snapshot of the tally, which lists breaches affecting 500 or more individuals since September 2009, shows more than 5.7 million individuals have been affected by more than 130 health data breaches in 2013, versus about 2.7 million individuals who were affected by more than 160 breaches in 2012.
Not yet included on the 2013 list so far are:
- A November breach reported by Horizon Blue Cross Blue Shield of New Jersey. That incident, involving the theft of two unencrypted desktop computers from the company's headquarters, potentially affected nearly 840,000 individuals.
- A malware breach at the University of Washington Medicine that affected 90,000 patients.
- A December breach at Cottage Health System in California, affecting 32,500 patients who apparently had their personal and health information exposed on Google for 14 months because of a lapse in a business associate's protections for one of its servers.
Key steps to preventing healthcare data breaches of all sizes, experts say, include conducting a thorough risk analysis to identify security risks; encrypting computing devices, especially mobile gear; and mimimizing the amount of sensitive data stored on end-users' devices.
Large 2013 Breaches
Of the 5.7 million individuals affected by 2013 incidents that have been posted on the federal tally so far, more than 90 percent were victims of four large breaches. Those include:
- A July breach involving the theft of four unencrypted desktop computers from an office of Advocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, and has resulted in a class action lawsuit.
- An October breach at AHMC Healthcare involving two unencrypted laptop computers stolen from the company's administrative offices in California. That breach impacted 729,000 individuals.
- A May incident at Texas Health Harris Methodist Hospital Fort Worth involving decades-old microfiche medical records that were slated for destruction, but were instead found intact in a public dumpster in a park. The breach affected 277,000 patients.
- An April case at the Indiana Family and Social Services Administration impacting 188,000 clients whose personal information was inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate.
"I have to shake my head when I see 4 million patient records on desktops," says Mac McMillan, CEO of the consulting firm CynergisTek, referring to the Advocate breach involving two stolen computers. Having that much unencrypted data on desktops, rather than servers in a locked data center, creates serious risks, he notes.
Since September 2009, when the HIPAA breach notification rule first went into effect, OCR has confirmed 736 breaches affecting nearly 28 million individuals. Of those, approximately 21 percent have involved business associates.
And the No. 1 cause of breaches has been lost or stolen unencrypted computing devices or media, the tally shows.
That trend continued in 2013, as about half of the breaches this year have involved lost or stolen devices or media, including the year's biggest incident at Advocate Medical Group.
Under the HIPAA Omnibus Rule, which regulators began enforcing in September, business associates are directly liable for HIPAA compliance. And the rule spells out in more detail that breach incidents must be reported unless the risk of compromise is low.
Independent security consultant Brian Evans predicts that the number of healthcare data breaches reported will rise in 2014, especially as more business associates become more aware of their HIPAA compliance responsibilities.
"Business associates are less mature in identifying, analyzing and reporting on security incidents," he says. "As business associates move from a reactive mode to a more formal and mature information security program, it's only logical that more security incidents will be identified and reported."
So far, however, the federal tally shows about 18 percent of the 2013 breaches involved business associates, down from about 25 percent in 2012.
To help prevent breaches, organizations should monitor the security practices of their vendors, experts say.
"Hold business associates accountable," Evans suggests. "Most health care organizations take a one-size-fits-all approach to managing business associate risk and leave it to the business associate agreement to do all the work. Contracts and agreements alone are weak controls unless compliance can be verified."
The amount of oversight required for a particular business associate depends on the potential risks involved, Evans says."Periodically review the business associate's operations in order to verify that they are consistent with the terms of the written agreement and that compliance standards are being met. But, just as important, you should ensure their continuing compliance with applicable federal and state laws, rules, and regulations, as well as internal policies and procedures," he says. "Consider designating a specific individual or team to coordinate the oversight activities with respect to your significant business associate relationships, and, as necessary, involve other operational areas, such as audit and IT, in the monitoring process."
Role of Encryption
Compliance expert William Miaoulis, CEO of consulting firm HSP Advisors, offers a more optimistic view. He expects that as more organizations improve their implementation of encryption, the frequency of major breaches will decline in 2014.
"I actually think we will see the number of immediately reportable breaches go down on the 'wall of shame' because many organizations have taken the safe harbor approach of encryption," he says.