4.9M had health data stolen, lost in first year of HITECH Act

Theft was the primary cause of breaches of personal health information (PHI) between Sept. 21, 2009 and Sept. 21, 2010--the first year where breach incidents were publicly reported to the Department of Health and Human Services under provisions of the HITECH Act--according to a new study from Miami-based accounting firm Kaufman, Rossin & Co.

Among 166 breaches reported, data theft occurred 58 percent of the time, followed by loss and by other causes (14 percent each), unauthorized access (7 percent), improper disposal (4 percent), hacking/IT incident (2 percent), and incorrect mailing address (1 percent). Of the total number of incidents reviewed nationwide (involving 4.9 million individuals), theft impacted the highest number of those individuals (3.1 million).

Laptops led the list of locations where most breaches occurred (42 incidents) with the most people affected (1.5 million people). This was followed by locations such as hard drives, portable electronic devices and electronic medical records.

PHI can be vulnerable to a breach in many recognized data states, the report noted. This includes: data in motion (data moving through a network); data at rest (data that resides in databases, file systems,and other structured storage methods); data in use (data in the process of being created, retrieved, updated, or deleted); or data disposed (discarded paper records or recycled electronic media).

"There are so many various ways for data to be breached in this day and age and many businesses are not properly prepared or are completely unaware of just how vulnerable this information is," said Jorge Rey, study co-author and director of information security and compliance with Kaufman, Rossin, in a statement.

For more details:
- check out this announcement for the study