The "wall of shame" for health data breaches at the Department of Health and Human Services has seen a lot of action this month.
In the month of January alone, more than 70 health data breach incidents affecting more than 500 individuals have been added, according to Healthcare Info Security.
"HHS is performing maintenance to the online report, and there will be some fluctuations over the next few months in the public-facing reporting tool, which is unrelated to timeliness of reporting by covered entities," says Rachel Seeger, an OCR spokesperson, according to Healthcare Info Security. "The site is constantly being updated, so these numbers can, and will, fluctuate. As such, there may be additional 2012 breaches added to the list in the future."
The HHS site lists 804 breaches that affected 29.3 million people since September 2009, when the original HIPAA breach notification rule went into effect.The final HIPAA Omnibus Rule, in final form, includes revisions to the Privacy and Security Rules, the Enforcement Rule and the Breach Notification Rule, and was released last January. In 2013, 170 incidents affected about 6.9 individuals, and in 2012, 200 breaches affected about 2.8 million individuals.
Five "mega-breaches" account for 90 percent of 2013 incidents, Healthcare Info Security points out.
As reported earlier this month, the Centers for Medicare & Medicaid Services and the U.S. Department of Veterans Affairs are among eight federal agencies chastised in a new Government Accountability Organization report for inconsistency in responding to data breaches involving personally identifiable information. The report is based on a performance audit of the agencies conducted from November 2012 through November 2013.
CMS, the report's authors say, failed to document both risk levels and rationale for their risk determinations with regard to incidences reviewed by GAO. Specifically, CMS did not document a risk level for 56 of 58 incidents.
A report published in December 2012 by the Ponemon Institute determined that data breaches were costing health organizations close to $7 billion annually. Still, privacy experts speaking last summer at the Healthcare Privacy Summit in Washington, D.C., called current efforts to deal with health data security too reactive.
To learn more:
- read the Healthcare Info Security article
HHS unveils final HIPAA omnibus rule
Data breaches cost healthcare entities $7 billion annually
Privacy experts: Health data security efforts too reactive
VA seeks dismissal of data breach lawsuit