Official Breach Tally Approaches 100Hall of Shame Highlights Risks of Mobile Devices
Under the HITECH Act breach notification rule, which went into effect last September, breaches affecting more than 500 individuals must be reported to the HHS Office for Civil Rights and the news media as well as the individuals affected within 60 days.
The list contained 36 incidents when OCR launched it on Feb. 22.
Security expert Tom Walsh calls the total number of breaches reported so far "surprisingly high," adding, "Just imagine how many breaches were occurring prior to the breach notification requirement. Nobody was talking then."
The vast majority of the incidents involve the loss or theft of information. About 61 percent of the incidents involve the theft or loss of unencrypted computer devices, such as laptops, USB flash drives, CDs or hard drives. About 9 percent involve the theft or loss of paper records.
Other incidents have a wide variety of causes, ranging from mailing errors to unauthorized access to records or e-mails. Only one phishing incident has been reported, and there have been no reports of a massive hacker attack.
Mobile Devices Vulnerable
The official breach tally provides powerful evidence that healthcare organizations need to do more to protect mobile devices and media, says Terrell Herzig, information security officer at UAB Medicine, Birmingham, Ala. Herzig offers a list of 10 action items that goes far beyond using encryption, including such steps as developing a comprehensive set of policies for portable media and devices and providing extensive staff education.
Walsh, president of Tom Walsh Consulting, Overland Park, Kan., is hopeful the publicity surrounding the federal list will lead to a decline in breaches over time. "When you explain to an executive you can encrypt a laptop for $55 or less, get a 4G encrypted USB for $75, and then measure these preventive costs against the cost of breach notification and remediation, the light bulb goes off," he says.
"The list could raise this issue to the attention of upper management, the people who provide the resources," adds Lisa Gallagher, senior director, privacy and security at the Healthcare Information and Management Systems Society.
The four largest incidents, which together account for more than 79 percent of individuals affected by all the major breaches so far, are:
- Avmed Health Plan alerted more than 1.2 million about a breach related to the theft of a laptop.
- BlueCross BlueShield of Tennessee informed nearly 1 million individuals about a breach stemming from the theft of 57 hard drives from a closed call center.
- Affinity Health Plan notified over 400,000 about a breach related to returning leased copy machines that contained hard drives with patient information stored on them.
- Emergency Healthcare Physicians Ltd. in suburban Chicago alerted more than 180,000 to a breach involving the theft of a portable hard drive at a billing service.
In the wake of its breach incident, executives at BlueCross BlueShield of Tennessee say they took several steps, including appointing a chief security officer to oversee all aspects of security, not just information technology. Roy Vaughn, the insurer's director of corporate communications, encourages other organizations to keep one thing in mind as they prepare for breach notifications: "Life is 10 percent what happens to you and 90 percent how you respond to it."
Other trends in the list so far:
- Sixteen of the breaches have involved business associates, including the Emergency Healthcare Physicians case.
- The Department of Veterans Affairs, the nation's largest healthcare providers, has reported five breaches at its facilities.
- The month with the most incidents was February, with 19, followed by December with 14.
Because incidents are added to the list once OCR confirms the details, it's impossible to tell if all incidents from a given month have been posted. However, only eight cases have been reported so far for April and three for May, perhaps indicating breaches are declining as the list is publicized and organizations take preventive action.
Since launching the list, OCR has not displayed the names of solo practitioners who have experienced major breaches, listing them only as "private practice." But that is slated to change, thanks to a shift in policy recently announced in the Federal Register, which will enable the naming of the physicians involved. OCR officials said June 21 that they planned to add the missing names "shortly."
For now 10 reports for "private practices" are on the list. Five of those are for incidents on Sept. 27, 2009, all involving the theft or unauthorized access to desktop computers, and all for practices in Torrance, Calif. It's impossible to tell, however, whether the incidents all occurred at one location, and OCR declined to provide further details.