Major U.S. healthcare data breaches have surpassed a significant milestone: More than 500 breaches have been confirmed since September 2009, when the U.S. Department of Health and Human Services began keeping tabs. Those incidents, each affecting 500 or more individuals, have impacted a combined total of 21.2 million individuals.
Hitting the 500-breach milestone is a signal that "healthcare continues to lag in its commitment to resources for privacy and security programs," says Mac McMillan, CEO of CynergisTek, a data security and privacy consulting firm. Until organizations pay more attention to breach prevention, "we're going to continue to see these kinds of results," he says.
HIPAA compliance audits conducted on behalf of HHS "have identified a critical gap in organizations' ability to monitor what users are doing in their enterprises," McMillan adds.
But McMillan is somewhat encouraged that fewer huge breaches have been reported so far in 2012, compared with 2011. Only one incident has affected more than 500,000 individuals in 2012; last year, there were five such incidents.
"While we still lag in several critical areas, organizations are doing better," he acknowledges.
Increased awareness of breaches is leading to the reporting of more incidents, the consultant contends. "I think the numbers today are far more accurate than those reported in past years," says McMillan, who is also chair of the Healthcare Information and Management Systems Society's Privacy & Security Steering Committee.
To continue to reduce the number of serious breaches, McMillan says healthcare organizations need to invest more in security technology, training, and improving how they monitor their business associates.
The Latest Numbers
In the past month, only four incidents affecting about 14,000 individuals were added to the HHS' "wall of shame" tally of breaches, bringing the total to 502 incidents since September 2009, when the HITECH Act-mandated HIPAA Breach Notification Rule took effect.
The HHS Office for Civil Rights adds, and sometimes deletes, breaches as it conducts investigations and confirms the details. OCR recently consolidated two entries involving Howard University, which are now listed as one incident affecting 66,000, an OCR spokeswoman confirms.
Since 2009, 54 percent of the data breaches reported have involved lost or stolen unencrypted electronic devices or media. That includes three of the four breaches added to the list over the last month. Breaches involving business associates account for more than 20 percent of all incidents.
So far, OCR has posted about 91 incidents occurring in 2012 affecting about 2.06 million individuals. Only four of those incidents have affected 100,000 or more individuals.
By comparison, the OCR list includes about 148 incidents in 2011 affecting 10.8 million. That includes five huge incidents accounting for 86 percent of all those affected by breaches last year.
Largest 2012 Breaches
The largest 2012 breaches reported so far include:
- Utah Department of Health: A March hacking incident that affected 780,000 individuals.
- Emory Healthcare: A February incident involving 10 missing computer disks that affected 315,000 individuals.
- South Carolina Department of Health and Human Services: A January incident affecting 228,000 Medicaid recipients. That case involved a now-fired employee who was arrested for allegedly transferring patient information to his personal e-mail account.
- Memorial Healthcare System in Hollywood, Fla.: A July breach involving improper access to patient information via a physician web portal by an employee of an affiliated doctor's office affected 102,000 individuals.
Although the number of breaches, and the number of individuals affected, appears to be declining so far in 2012, "I wouldn't put too much weight on that yet," says Dan Berger, CEO of IT security audit firm Redspin. That's because the totals still could rise in the weeks ahead.
"Certainly the 'carrot and stick' impact of HITECH Act EHR meaningful use incentives, which require a HIPAA security risk analysis, and recent OCR breach penalties has elevated IT security in importance among providers," Berger says. "But we've yet to see widespread improvements in two critical areas business associate oversight and employee security awareness training."
A security risk analysis is only the starting point in any breach prevention effort, Berger stresses. "Many organizations put the emphasis on compliance which, while important, is not synonymous with security. We believe IT security in healthcare is an ongoing process."
Healthcare organizations must maintain a state of breach prevention readiness through a persistent cycle of testing, remediation, and validation, he adds. "The same is true for employees and business associates. It is not enough for an employee to attend HIPAA training once per year or a BA to simply agree to security provisions in a contract. Security requires more engagement."