Since the required reporting began in 2009, there have been more than 30,000 data breaches, affecting nearly 7.9 million people who have had their health records exposed, according to a new report by the Department of Health & Human Services (HHS) Office for Civil Rights.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, HIPAA-covered organizations must provide notification to individuals, the Secretary, and sometimes the media (if more than 500 individuals were affected), of breaches of unsecured health information.
Since implementing the Breach Notification for Unsecured Protected Health Information Interim final rule in 2009, the Office for Civil Rights has seen the following numbers:
|
|
Sept. - Dec. 2009 |
Jan. - Dec. 2010 |
||
|
# Reports |
# Total individuals |
# Reports |
# Total individuals |
|
|
Smaller breaches |
5,521 |
12,000 |
25,000 |
50,000 |
|
Larger breaches |
45 |
2.4M |
207 |
5.4M |
Even though large-scale breaches only made up less than one percent of all reports in 2009 and 2010, those affected individuals made up 99 percent of the total persons breached, according to the report.
For large-scale breaches, that is, those affecting more than 500 individuals, the Office of Civil Rights received 45 reports in 2009 (three-month period), affecting 2.4 million people. And in its first full year of reporting in 2010, the Office recorded 207 breaches, affecting 5.4 million.
In both years, theft was the number one reason for breached data. However, in a shift from 2009 to 2010, lost electronic or paper records, as well as improper disposal, played a greater role. Other reasons included unauthorized access or use and human error.
Entities with health information reported the following remedial action steps after the breaches:
- Revise policies and procedures
- Improve physician security by installing new security systems or relocation of equipment to safer places
- Train workers how to handle protected health information
- Provide free credit monitoring for customers
- Adopt encryption technology
- Improve sanctions against violators of policies and procedures
- Change passwords
- Perform a new risk assessment
- Revise business associate contracts to more explicitly require protection of confidential information
For more information:
- check out the report (.pdf)
- here's the Wall of Shame
Share this via Twitter
Related Articles
State law mandates more data breach info
5 tips for securing your hospital's tablets
Tips for patient data security: Policies, education, funding
Security of patient records breaches across the country