Health Data Breach Tally Tops 800Number of Incidents Added to Official List Surges
More than 70 incidents have been added in the last month to the Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals - far more than in any other recent month.
But of the newly added breaches, about half occurred in 2012, affecting a total of about 190,000 individuals. In addition, 35 breaches occurring in 2013, affecting a total of about 1.2 million individuals, have been added to the list since mid-December.
The largest of the 2013 incidents recently added to the tally was a breach reported by Horizon Blue Cross Blue Shield of New Jersey. That November breach, which involved the theft of two unencrypted desktop computers from the company's headquarters, affected nearly 840,000 individuals.
HHS' Office for Civil Rights attributes the increase in breaches added to its official tally in recent weeks to "maintenance" issues on the website, rather than new breach reporting requirements under the HIPAA Omnibus Rule or investigative trends at OCR.
"HHS is performing maintenance to the online report, and there will be some fluctuations over the next few months in the public-facing reporting tool, which is unrelated to timeliness of reporting by covered entities," says Rachel Seeger, an OCR spokesperson. "The site is constantly being updated, so these numbers can, and will, fluctuate. As such, there may be additional 2012 breaches added to the list in the future."
As of Jan. 22, the HHS site lists 804 breaches affecting 29.3 million individuals since September 2009, when the original HIPAA breach notification rule went into effect. That rule was modified last year as part of the HIPAA Omnibus Rule, which provided far more specific guidance on when a breach must be reported.
So far, the OCR tally lists about 170 incidents in 2013 affecting a total of about 6.9 million individuals. By comparison, the tally includes about 200 incidents from 2012, affecting a total of 2.8 million.
Five mega-breaches - including the Horizon incident - account for 90 percent of those affected by 2013 incidents listed on the tally. The other largest breaches in 2013 include:
- A July breach involving the theft of four unencrypted desktop computers from an office of Advocate Medical Group, a Chicago-area physician group practice. That breach, which the federal tally lists as affecting more than 4 million individuals, has resulted in a class action lawsuit.
- An October breach at AHMC Healthcare involving two unencrypted laptop computers stolen from the company's administrative offices in California. That breach impacted 729,000 individuals.
- A May incident at Texas Health Harris Methodist Hospital Fort Worth involving decades-old microfiche medical records that were slated for destruction, but were instead found in a public dumpster in a park. The breach affected 277,000 patients.
- An April case at the Indiana Family and Social Services Administration impacting 188,000 clients whose personal information was inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate.
More Spikes to Come?
Some security and privacy experts expect an upswing in the number of breaches that will be reported to OCR in 2014, including large breaches that appear on the HHS breach site as well as smaller incidents affecting fewer than 500 individuals. That's, in part, because the HIPAA Omnibus Rule that went into effect last year gives less wiggle room for covered entities and business associates in reporting incidents.
"I certainly believe that more individuals are becoming aware of the need to report," says Bill Miaoulis, founder of HSP Advisors, a compliance consulting firm. "I believe we are having more breaches identified and reported, not more breaches. It is actually a positive sign as we learn from others who report breaches."
Under the updated breach notification rule included in HIPAA Omnibus, organizations now must consider four factors in assessing breaches:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Before the start of enforcement of the HIPAA Omnibus Rule last September, organizations reported breaches based on the more subjective "harm standard," which had entities weigh whether an incident was likely to cause financial, reputational or other harm to an individual.
One factor that will contribute to fluctuations on the HHS breach tally in the near-term, besides the OCR website's maintenance issues, is "that there are still many healthcare organizations and business associates lacking maturity in their incident identification and analysis processes, which could cause a delay in reporting," says security expert Brian Evans.
"As healthcare organizations and business associates move from a reactive mode to a more formalized and mature information security program, it's only logical that more security incidents will be identified and reported," says Evans, a principal consultant at Tom Walsh Consulting.
Covered entities and their business associates will become better at identifying breaches for reporting, which will likely result in an uptick of reported breaches, Evans says.
"Advanced attacks and malware are getting more common, but basic security gaps remain," he adds. "The types and numbers of organizations affected are, by all accounts, still growing. To address these trends in 2014 and beyond, organizations should continue reshaping their information security programs to manage information risk more effectively."
While healthcare entities and their business associates improve their security programs, a basic area of attention for many still remains encryption of mobile and other computing devices, based on analysis of the HHS tally.
Lost or stolen unencrypted devices were involved in more than half of all major breaches reported to HHS. More than two dozen such incidents were added to the list in the last month alone.
Meanwhile, business associates have been involved with about 21 percent of major breaches since 2009, including 15 incidents newly added to the HHS site in recent weeks.