Healthcare Breach Tally: 409 Incidents

Major Breaches Have Affected 19.2 Million Since 2009
Healthcare Breach Tally: 409 Incidents

The federal "wall of shame" tally of major healthcare information breaches has been growing relatively slowly the past two months. It now includes 409 incidents affecting almost 19.2 million individuals since September 2009.

See Also: OnDemand | Realities of Choosing a Response Provider

About 24 breaches affecting 143,000 individuals have been added to the tally since Jan. 20. So far, the list includes only four 2012 incidents affecting a total of about 29,000. The Department of Health and Human Services' Office for Civil Rights adds breaches to the tally after it investigates the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.

About 55 percent of all the major breaches reported so far have involved lost or stolen unencrypted electronic devices or media. Roughly 21 percent, including many of the largest breaches, have involved business associates.

More Affected in 2011

The tally, which is continually updated, now shows that the number of individuals affected by healthcare information breaches nearly doubled in 2011 compared with 2010, despite far fewer breach incidents last year.

More than 10.8 million individuals were affected by about 145 breaches in 2011; in 2010, about 5.4 million were affected by about 212 breaches.

The surge in the number of individuals affected during 2011 stems from a handful of huge breaches, including:

  • A breach involving TRICARE, the military health program, and its business associate, Science Applications International Corp., which affected 4.9 million. Eight class action lawsuits filed in this case may be consolidated.
  • Insurer Health Net's breach, which involved business associate IBM and affected 1.9 million.
  • An breach incident at the Nemours Foundation, which affected more than 1 million, according to the latest OCR tally.
  • A breach at Sutter Health, which OCR says affected just under 1 million individuals whose healthcare information was exposed. But the incident affected another 3.3 million individuals whose healthcare information was not involved.
  • An Eisenhower Medical Center breach that affected 514,000.

These five incidents account for more than 85 percent of the individuals affected by all the major healthcare information breaches last year.

No Risk Analysis?

"Large-scale incidents make it painfully clear that inadequate, if any, HIPAA security risk analyses took place prior to the breaches," says Dan Berger, CEO of Redspin, a security assessment company (See: Healthcare Breaches: Behind the Numbers).

"Comprehensive security risk assessments would have identified where PHI is stored, who has access to it and how it's utilized under a normal work flow," he notes. The assessments then would have enabled organizations to "look further into whether sufficient controls were in place."

The HHS Office for Civil Rights' breach investigations show that "you really still do have significant security vulnerabilities out there," says Leon Rodriguez, director of the office. "And sometimes those issues are as fundamental as no evidence of a risk analysis, no policies and procedures and no adequate technical safeguards for data."

Rodriguez' office recently announced a settlement with BlueCross BlueShield of Tennessee in the wake of an October 2009 breach, one of the first mega-breaches to be reported under the HITECH-mandated HIPAA breach notification rule. That settlement calls for a $1.5 million payment plus a detailed corrective action plan.

In announcing the settlement, Rodriguez stressed that it was the first stemming directly from a self-reported breach under the breach notification rule.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.