Health Data Hacking Likely To Increase

Wondering about trends in the various protected health information breaches you seen in the news every now and then? Here’s some hard numbers, courtesy of IT security firm Redspin, which has pulled together data on incidents reported to HHS since breach notification rules went into effect in August 2009.

According to Redspin research, a total of 538 large breaches of PHI, affecting 21.4 million patient records, have been reported to HHS since the notification rule when into effect as part of the HITECH Act.  The largest breach in 2012 resulted in exposure of 780,000 records.

Between 2011 and 2012, there was a 21.5 percent increase in the number of large breaches reported, but interestingly, a 77 percent decrease in the number of patient records impacted, Redspin reports.

More than half of the breaches (57 percent) involved a business associate, and 67 percent were the result of theft or loss. Thirty-eight percent of incidents took place due to data on a laptop or other portable electronic device which wasn’t encrypted.

During 2012, the top five incidents contributed almost two-thirds of the total number of patient records exposed. They each had different causes, however, making it hard to draw any  broad conclusions as to how PHI gets breached.

Meanwhile, if that business associate stat intrigues you, check this out: historically, the firm concludes, breaches at business associates have impacted 5 times as many patient records as those at a covered entity. (It certainly encourages one to take a second look at how skilled their business associates are at maintaining security.)

While all of this is interesting, perhaps the most important info I came away with was that Redspin thinks health data hacking is likely to increase in coming years. From 2009 to the date of the report, hacking has contributed to only 6 percent of breaches, but the biggest breach, an Eastern European-based attack on the State of Utah “should end any complacency,” Redspin advises.

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

6 Comments

  • Thanks for this post. More ammunition in the fight to encourage clients to take a serious look at their BAA’s, especially with their IT vendors, is always welcome.

  • Sadly, data breaches will always be with us. The complexities of healthcare have too many touch points; more are coming. I feel for IT departments who are often at odds with employees trying to conduct daily business in innovative ways… and now responsible for the successful and ssecure reengineering of an industry. No small feat.

    Some debate the need for a new, secure Internet. But from what I read security measures will never completely secure information.

    I would suggest that information needs to be “widely distributed” rather that gathered into data silos. Scattered much like a neighborhood after a tornado. If encryption sequences do not fall into place to string data together, information cannot be gathered.

    I know, I know… sometimes a child can lead; sometimes they need to be sent to their room. Admittedly a novice here, I will go to my room now… grin.

  • Sande,
    No need to go to the room. We welcome all opinions. Plus, yours is a good one. It’s true that we’ll never be without breaches and technology will never be completely secure. Plus, we also need to realize that there were breaches before technology too. We just never knew about them because we didn’t fingerprint every paper chart.

  • Great observation concerning Covered Entities checking up on their Business Associates. With HHS releasing the Final Omnibus Rule, now is a good time to engage Business Associates to review and update BA Agreements. While the final rules do not go into effect until next year, considering all the Business Associates a practice deals with and any subcontractors they work with as well, getting an early start is a good idea.

Click here to post a comment
   

Categories