HHS report: Nearly 7.9M health records exposed

Since the required reporting began in 2009, there have been more than 30,000 data breaches, affecting nearly 7.9 million people who have had their health records exposed, according to a new report by the Department of Health & Human Services (HHS) Office for Civil Rights.

Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, HIPAA-covered organizations must provide notification to individuals, the Secretary, and sometimes the media (if more than 500 individuals were affected), of breaches of unsecured health information.

Since implementing the Breach Notification for Unsecured Protected Health Information Interim final rule in 2009, the Office for Civil Rights has seen the following numbers:


Sept. - Dec. 2009

Jan. - Dec. 2010

# Reports

# Total individuals

# Reports

# Total individuals

Smaller breaches





Larger breaches





Even though large-scale breaches only made up less than one percent of all reports in 2009 and 2010, those affected individuals made up 99 percent of the total persons breached, according to the report.

For large-scale breaches, that is, those affecting more than 500 individuals, the Office of Civil Rights received 45 reports in 2009 (three-month period), affecting 2.4 million people. And in its first full year of reporting in 2010, the Office recorded 207 breaches, affecting 5.4 million.

In both years, theft was the number one reason for breached data. However, in a shift from 2009 to 2010, lost electronic or paper records, as well as improper disposal, played a greater role. Other reasons included unauthorized access or use and human error.

Entities with health information reported the following remedial action steps after the breaches:

  • Revise policies and procedures
  • Improve physician security by installing new security systems or relocation of equipment to safer places
  • Train workers how to handle protected health information
  • Provide free credit monitoring for customers
  • Adopt encryption technology
  • Improve sanctions against violators of policies and procedures
  • Change passwords
  • Perform a new risk assessment
  • Revise business associate contracts to more explicitly require protection of confidential information

For more information:
- check out the report (.pdf)
- here's the Wall of Shame

Share this via Twitter

Related Articles
State law mandates more data breach info
5 tips for securing your hospital's tablets
Tips for patient data security: Policies, education, funding
Security of patient records breaches across the country

Suggested Articles

The profit margins and management of Community Health Group raise questions about oversight of managed care insurers.

Financial experts are warning practices about the pitfalls of promoting medical credit cards to their patients.

A proposed rule issued by HHS on Tuesday would expand short-term coverage, a move Seema Verma said will have "virtually no impact" on ACA premiums.