Data Breaches Affect Millions of Patients Since 2009
A list of breaches of unsecured protected health information (PHI) affecting 500 or more people reveals that over 250 such incidents, involving more than 10 million patients, have occurred since September 2009. The Office for Civil Rights (OCR) began collecting that data in February 2010, with enactment of the Health Information Technology for Economic and Clinical Health (HITECH) breach notification rule. The rule requires health care organizations to report breaches that affect 500 or more patients to the U.S. Department of Health and Human Services (HHS) secretary within 60 days.
Insurance provider HealthNet was responsible for the largest single breach, which affected 1.9 million people. A breach affecting New York City Health and Hospitals Corp.’s North Bronx Healthcare Network involved 1.7 million patients. Breaches at Blue Cross/Blue Shield Tennessee and AvMed, Inc. also affected over 1 million patients, each.
Most breaches were not the result of computer “hacking,” but rather due to the loss or theft of computer hardware that held unencrypted patient information. For example, the North Bronx Healthcare Network breach occurred when computer backup tapes were stolen from a van. Many other breaches also occurred with the theft or loss of desktops, laptops, flash drives, and other data storage devices.
Especially with the widespread adoption of electronic health records (EHRs), all health care organizations must act to protect patient information and remain in compliance with the Health Insurance Portability and Accountability Act (HIPAA) requirements. Recommendations to improve data security include log-in management, hard drive encryption, PHI mapping (to reduce the risk that data is stored on unauthorized devices), and proper disposal of old equipment.