Top 5 U.S. Healthcare Breaches of 2011TRICARE Incident, Affecting 4.9 Million, Leads the List
U.S. healthcare organizations must report breaches to federal authorities. The Department of Health and Human Services' Office for Civil Rights compiles what's become known as the "wall of shame" on its website, listing major incidents as the details are confirmed. Here's a look at 2011's five biggest healthcare breaches, in terms of the number of individuals affected.
Five members of Congress recently launched an investigation into a breach affecting 4.9 million beneficiaries of TRICARE, the military healthcare program. TRICARE also faces a class action lawsuit as a result of the incident.
The breach occurred in September when unencrypted backup tapes were stolen from the parked car of an employee of a TRICARE business associate, Science Applications International Corp.
The TRICARE incident is the largest breach reported to federal authorities so far under the HIPAA breach notification rule, which went into effect in September 2009.
The California integrated delivery system faces two class action lawsuits in the wake of an October breach involving the theft of an unencrypted desktop computer containing information on 4.2 million patients.
The stolen computer contained a database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units. That database held limited demographic information on about 3.3 million patients collected from 1995 through January 2011. The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.
This incident had not yet been posted on the HHS Office for Civil Rights' official tally as 2011 drew to a close.
Federal authorities plus at least four state agencies launched investigations of a breach affecting 1.9 enrollees of Health Net, an insurance company. A class action lawsuit also was filed in the case, which involved nine server drives that were discovered missing in January from a California data center managed by IBM.
In 2009, Health Net reported another breach affecting 1.5 million nationwide that involved the loss of a computer disk drive. That case resulted in three state fines.
The children's health system offered about 1.6 million individuals one year's worth of free credit monitoring and identity theft protection following an August breach incident stemming from the loss of three unencrypted backup tapes.
Patient billing and employee payroll information on the tapes, missing from a Wilmington, Del., facility owned by Nemours, included names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information. Nemours reported the backup tapes were stored in a locked cabinet, and the cabinet and tapes were reported missing Sept. 8. They are believed to have been removed about Aug. 10 during a facility remodeling project.
The Rancho Mirage, Calif.-based hospital notified more than 514,000 patients of a March breach of a limited amount of personal information stemming from the theft of an unencrypted computer. The computer contained a patient index backup file that included patient names, ages, dates of birth, the last four digits of Social Security numbers and the hospital's medical records numbers. It did not contain health or financial information.