Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, has released a report on security breaches in healthcare. The report, titled, “Breach Report 2011, Protected Health Information,” examines a total of 385 incidents affecting over 19 million individuals since the American Recovery and Reinvestment Act/Health Information Technology for Economic and Clinical Health Act's (ARRA-HITECH) breach notification rule went into effect in Aug. 2009. The researchers from Redspin concludes the total number of breaches increased 97 percent from 2010 to 2011.
Redspin cites the increasing concentration of protected healthcare information (PHI) on unencrypted portable devices (laptops, media) and the lack of sufficient oversight of PHI disclosed to hospital "business associates" as the main reasons for the increase. Malicious attacks (theft, hacking, and insider incidents) continue to cause 60 percent of all breaches due to the economic value of a personal health record sold on the black market and for medical ID theft used to commit Medicare fraud.
Over the past year, data breaches caused by an employee losing an unencrypted device were up 525 percent. In the report, Redspin says the federal government should make the sensible decision to require all portable devices that store [electronic personal health information] be encrypted. Daniel W. Berger, Redspin’s CEO and president, said in a statement that the problem won’t go away.
"Without further protective measures, data breaches will continue to increase and could derail the implementation, adoption and usage of electronic health records,” he said.