Health Breaches: 5.35 Million AffectedFewer Incidents in Past Month, But One Was Large
The tally from the Department of Health and Human Services' Office for Civil Rights now stands at 192 incidents since September 2009, affecting a total of 5.35 million Americans.
Keystone/AmeriHealth Mercy Health Plans recently reported a health information breach involving the loss of an unencrypted flash drive that potentially affected 286,000 individuals. The flash drive included health ID numbers and certain health information on all the patients, plus the last four digits of 801 members' Social Security numbers and complete Social Security numbers for seven others, the Medicaid plans reported. The health plans, which serve a total of 400,000 members, offered free credit monitoring to those whose Social Security numbers, either in whole or in part, were on the drive.
With 286,000 notified, the Keystone/AmeriHealth incident is the fifth largest breach notification so far under the HITECH Act's interim final breach notification rule.
Fewer Breach IncidentsThe low number of incidents reported since Oct. 22 continues a downward trend. There were 20 incidents added the previous month and 28 the month before that.
Of the six incidents reported, which affected a total of about 304,000, three involved the loss or theft of a computer device. About 57 percent of all incidents reported to authorities so far have had this cause.
In a presentation earlier this month, Adam Greene, senior health IT and privacy specialist at the Office for Civil Rights, noted that the most common location for breaches so far is laptops, representing 24 percent of cases. Paper records have been involved in 22 percent of cases, desktop computers in 16 percent and portable electronic devices in 14 percent. And 52 percent of all cases involve theft, making that the leading cause overall.
Federal Breach ScorecardThe Department of Health and Human Services' Office for Civil Rights began posting incidents to its breach list on Feb. 22 for cases dating back to last September. The list was mandated by the HITECH Act.
Under the HITECH Act's interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights and the news media, as well as the individuals affected, within 60 days.
A final breach notification rule, which could further clarify exactly what types of incidents need to be reported, is still in the works.
So far, roughly 20 percent of the breach incidents reported have involved business associates -- vendors that have contracts with healthcare organizations and have access to protected health information. None of the six incidents added in the past month involved a business associate.
A recently announced proposal to modify the HIPAA privacy, security and enforcement rules makes it even more clear that business associates, as well as their subcontractors, must comply with the rules.
Largest Health Information BreachesIn addition to the Keystone/Amerihealth incident, the largest breaches on the federal tally are:
- AvMed Health Plan alerted more than 1.2 million about a breach related to the theft of a laptop.
- BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
- South Shore Hospital reported a breach involving the loss of backup computer tapes that could affect 800,000.
- Affinity Health Plan notified about 345,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.