Healthcare Breach Tally: 409 IncidentsMajor Breaches Have Affected 19.2 Million Since 2009
The federal "wall of shame" tally of major healthcare information breaches has been growing relatively slowly the past two months. It now includes 409 incidents affecting almost 19.2 million individuals since September 2009.
About 24 breaches affecting 143,000 individuals have been added to the tally since Jan. 20. So far, the list includes only four 2012 incidents affecting a total of about 29,000. The Department of Health and Human Services' Office for Civil Rights adds breaches to the tally after it investigates the details. The list tracks breaches affecting 500 or more individuals that have occurred since late September 2009, when the HITECH Act-mandated breach notification rule went into effect.
About 55 percent of all the major breaches reported so far have involved lost or stolen unencrypted electronic devices or media. Roughly 21 percent, including many of the largest breaches, have involved business associates.
More Affected in 2011
The tally, which is continually updated, now shows that the number of individuals affected by healthcare information breaches nearly doubled in 2011 compared with 2010, despite far fewer breach incidents last year.
More than 10.8 million individuals were affected by about 145 breaches in 2011; in 2010, about 5.4 million were affected by about 212 breaches.
The surge in the number of individuals affected during 2011 stems from a handful of huge breaches, including:
- A breach involving TRICARE, the military health program, and its business associate, Science Applications International Corp., which affected 4.9 million. Eight class action lawsuits filed in this case may be consolidated.
- Insurer Health Net's breach, which involved business associate IBM and affected 1.9 million.
- An breach incident at the Nemours Foundation, which affected more than 1 million, according to the latest OCR tally.
- A breach at Sutter Health, which OCR says affected just under 1 million individuals whose healthcare information was exposed. But the incident affected another 3.3 million individuals whose healthcare information was not involved.
- An Eisenhower Medical Center breach that affected 514,000.
These five incidents account for more than 85 percent of the individuals affected by all the major healthcare information breaches last year.
No Risk Analysis?
"Large-scale incidents make it painfully clear that inadequate, if any, HIPAA security risk analyses took place prior to the breaches," says Dan Berger, CEO of Redspin, a security assessment company (See: Healthcare Breaches: Behind the Numbers).
"Comprehensive security risk assessments would have identified where PHI is stored, who has access to it and how it's utilized under a normal work flow," he notes. The assessments then would have enabled organizations to "look further into whether sufficient controls were in place."
The HHS Office for Civil Rights' breach investigations show that "you really still do have significant security vulnerabilities out there," says Leon Rodriguez, director of the office. "And sometimes those issues are as fundamental as no evidence of a risk analysis, no policies and procedures and no adequate technical safeguards for data."
Rodriguez' office recently announced a settlement with BlueCross BlueShield of Tennessee in the wake of an October 2009 breach, one of the first mega-breaches to be reported under the HITECH-mandated HIPAA breach notification rule. That settlement calls for a $1.5 million payment plus a detailed corrective action plan.
In announcing the settlement, Rodriguez stressed that it was the first stemming directly from a self-reported breach under the breach notification rule.