Hackers and other malefactors steal a surprising amount of personal health information by breaching computer security. Between August 2009 and December 2010, the electronic health records of more than 6 million individuals were compromised, and 61 percent of those security breaches were the result of malicious intent, according to Redspin, a leading provider of HIPAA risk analysis and IT security assessment services.
The Redspin report focuses only on breaches involving more than 500 people, which must be reported to the Department of Health and Human Services under the breach notification provision of the HITECH Act. So it's likely that far more than 6 million people actually had their personal health information compromised, and that's just during the study period.
Business associates accounted for 40 percent of all the records breached. But that percentage, too, might be larger than reported. Although business associates are required to report breach incidents to healthcare providers within 60 days of their occurrence, it's not hard to imagine situations in which they fail to do so.
The report found that the security breaches occurred in 43 states, Washington, D.C., and Puerto Rico. Each breach affected 27,000 people on average, and breaches involving laptops and other mobile devices impacted on an average of 66,000 people. The latter accounted for 44 percent of all incidents and 65 percent of all records breached, suggesting that the theft or loss of mobile devices is as major a reason for breaches as hacking.
Security officers have new motivation to protect healthcare data
HIPAA security breaches about to cost more thanks to HITECH