Large-Scale Data Breaches Have Increased, but Fewer Patients Affected, Report Says

Feb. 14, 2013
According to a report from Carpinteria, Calif.-based Redspin Inc., a provider of IT security assessments, the number of large-scale health data breaches increased from 2011 to 2012, but the number of patients affected by such breaches decreased last year.

According to a report from Carpinteria, Calif.-based Redspin Inc., a provider of IT security assessments, the number of large-scale health data breaches increased from 2011 to 2012, but the number of patients affected by such breaches decreased last year. The report, titled “Breach Report 2012, Protected Health Information,” examined a total of 538 incidents affecting over 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009.

The report found that the number of health data breaches affecting 500 or more individuals increased from 121 in 2011 to 146 in 2012. However, the number of patient records affected by such breaches decreased from 10.6 million in 2011 to 2.4 million in 2012, according to the report.

Over half of all breaches (57 percent) have involved "business associates," third-party vendors that need access to protected health information (PHI) to provide their services to covered entities. "The recently-published HIPAA Omnibus Rule now requires business associates to comply with HIPAA privacy and security regulations directly and extends civil liability to BAs for PHI breach," said Daniel Berger, Redspin’s president and CEO. "This is a major regulatory change. But health providers should not just assume all BAs will comply—they need to be proactive, working closely with their business partners to build a secure 'chain of PHI custody.'"

Redspin also reported that the lack of encryption on laptops and other portable electronic devices is the root cause of over one-third of PHI breaches (38 percent). The company suggested that encrypting portable devices be more widely implemented and enforced given the surge in the use of personally-owned mobile devices at work.

Redspin warned that personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes—even held for ransom. Although there has been a relatively low incident rate of hacking among all PHI breaches to date, Berger said that last year's attack on the Utah Department of Health "may be the canary in the coal mine."

Sponsored Recommendations

The Future of Storage: The Complexities and Implications in Healthcare

Join us on January 23rd to explore the future of data storage in healthcare and learn how strategic IT decisions today can shape agility and competitiveness for tomorrow.

IT Healthcare Report: Technology Insights for a Transformative Future

Explore the latest healthcare IT trends, challenges, and opportunities in AI, patient care, and security. Gain actionable insights to navigate the industry's transformation.

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...

Quantifying the Value of a 360-Degree view of Healthcare Consumers

To create consistency in how consumers are viewed and treated no matter where they transact, healthcare organizations must have a 360° view based on a trusted consumer profile...