More than 70 incidents have been added in the last month to the Department of Health and Human Services'wall of shame website listing health data breaches affecting 500 or more individuals far more than in any other recent month.
But of the newly added breaches, about half occurred in 2012, affecting a total of about 190,000 individuals. In addition, 35 breaches occurring in 2013, affecting a total of about 1.2 million individuals, have been added to the list since mid-December.
The largest of the 2013 incidents recently added to the tally was a breach reported byHorizon Blue Cross Blue Shield of New Jersey. That November breach, which involved the theft of two unencrypted desktop computers from the company's headquarters, affected nearly 840,000 individuals.
HHS' Office for Civil Rights attributes the increase in breaches added to its official tally in recent weeks to "maintenance" issues on the website, rather than new breach reporting requirements under theHIPAA Omnibus Ruleor investigative trends at OCR.
'HHS is performing maintenance to the online report, and there will be some fluctuations over the next few months in the public-facing reporting tool, which is unrelated to timeliness of reporting by covered entities," says Rachel Seeger, an OCR spokesperson."The site is constantly being updated, so these numbers can, and will, fluctuate. As such, there may be additional 2012 breaches added to the list in the future."
Tally Update
As of Jan. 22, the HHS site lists 804 breaches affecting 29.3 million individuals since September 2009, when the original HIPAA breach notification rule went into effect. That rule was modified last year as part of the HIPAA Omnibus Rule, which provided far more specific guidance on when a breach must be reported.
So far, the OCR tally lists about 170 incidents in 2013 affecting a total of about 6.9 million individuals. By comparison, the tally includes about 200 incidents from 2012, affecting a total of 2.8 million.
Five mega-breaches including the Horizon incident account for 90 percent of those affected by 2013 incidents listed on the tally. The other largest breaches in 2013 include:
- A July breach involving the theft of fourunencrypted desktop computers from an office of Advocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, has resulted in a class action lawsuit.
- An October breach atAHMC Healthcareinvolving two unencrypted laptop computers stolen from the company's administrative offices in California. That breach impacted 729,000 individuals.
- A May incident atTexas Health Harris Methodist Hospital Fort Worth arrisHinvolving decades-old microfiche medical records that were slated for destruction, but were instead found in a public dumpster in a park. The breach affected 277,000 patients.
- An April case at the Indiana Family and Social Services Administrationimpacting 188,000 clients whose personal information was inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by abusiness associate.
More "Spikes" to Come?
Some security and privacy experts expect an upswing in the number of breaches that will be reported to OCR in 2014, including large breaches that appear on the HHS breach site as well as smaller incidents affecting fewer than 500 individuals. That's, in part, because the HIPAA Omnibus Rule that went into effect last year gives less wiggle room for covered entities and business associates in reporting incidents.
Under the updated breach notification rule included in HIPAA Omnibus, organizations now must consider four factors in assessingbreaches:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Before the start of enforcement of the HIPAA Omnibus Rule last September, organizations reported breaches based on the more subjective "harm standard," which had entities weigh whether an incident was likely to cause financial, reputational or other harm to an individual.
More Possible Threats
One factor that will contribute to fluctuations on the HHS breach tally in the near-term, besides the OCR website's maintenance issues, is that there are still many healthcare organizations and business associates lacking maturity in their incident identification and analysis processes, which could cause a delay in reporting.
As healthcare organizations and business associates move from a reactive mode to a more formalized and mature information security program, it's only logical that more security incidents will be identified and reported.