More than 7 million patient records were breached last year, an increase of 138 percent from 2012, according to a report from IT security audit firm Redspin.
The report analyzes breaches reported to the U.S. Department of Health & Human Services and identifies trends and highlights areas most in need of improvement.
A single incident--the theft of four desktop computers from Downers Grove, Ill.-based Advocate Medical Group--exposed more than 4 million records. Stolen devices also accounted for the second- and third-largest breaches; all three involved unencrypted data. For the past three years, Redspin has cited unencrypted data on mobile devices as one of the highest risks to personal health information (PHI).
There has been a sense that by requiring security assessments to qualify for Meaningful Use incentives and by bolstering enforcement, the government was driving real progress in protecting PHI, Daniel W. Berger, Redspin's president and CEO, says in an announcement. He adds that the numbers, though, "caught a lot of people by surprise."
Yet, "many HIPAA security risk assessments only graze the surface," he says. "It is essential that your scope be both broad and deep. The goal is not simply to complete a compliance checklist; it is about safeguarding PHI. That takes organization commitment and investment. Vigilance must be institutionalized."
The HHS' "wall of shame" saw a lot of action in January--more than 70 health data breach incidents affecting more than 500 people were added. The HHS site lists 804 breaches that affected 29.3 million people since September 2009.
Meanwhile, 82 percent of health IT executives in a recent survey said their technology infrastructure is "not fully prepared for a disaster recovery incident." Nearly one in five (19 percent) global healthcare organizations experienced a security breach in the last 12 months at a cost of $810,189 per incident, according to results of the MeriTalk survey.
To learn more:
- download the report
- here's the announcement