The Department of Health and Human Services’ Office for Civil Rights investigates breaches and adds the affected number to the tally of total healthcare information breaches.This breach tally has been growing steadily over the past two months. The federal ‘Wall of Shame’ now includes 409 breach incidents affecting nearly 19.2 million individuals since September 2009 after the breach notification rule mandated by the HITECH Act came into effect.
This list of breaches tracks those breach incidents which have affected 500 or more individuals. By mid-January this year, the breach tally crossed 19 million, and the number seems to be steadily increasing: Since January 20th 2012, 24 breaches affecting a total of 143,000 individuals have been added to the list, out of which four incidents have taken place in 2012 affecting about 29,000 individuals. A noteworthy fact is that nearly 55% of all the major breaches reported till date have involved loss or theft of unencrypted storage devices or media, and 21% involved business associates.
This tally, which is being updated on a continuous basis, reveals that the number of individuals affected by healthcare information breaches has doubled since 2010, although the actual breach incidents were fewer: In 2010, about 5.4 million people were affected by a total of 212 breaches. But in 2011, more than 10.8 million individuals were affected by 145 breaches.
Some of the major breaches which contributed to the rise in the number of affected individuals in 2011 include:
- The TICARE breach which affected 4.9 million individuals
- HealthNet breach affecting 1 million individuals
- Nemours Foundation which affected more than 1 million individuals
- Sutter Health breach affecting a little less than 1 million individuals
- Eisenhower Medical Center breach affecting 514,000 individuals
These breaches account for more than 85% of individuals affected by healthcare information breaches in 2011.
Dan Berger, CEO of Redspin, a security assessment company, is of the opinion that inadequate or complete lack of HIPAA security risk analyses was the main cause for most of these breaches. He says that comprehensive security risk assessments would have identified pitfalls in the system and enabled organizations to determine whether sufficient controls were in place. The Director of the HHS Office for Civil Rights, Leon Rodriguez is also of the same opinion. According to him there are several fundamental issues like lack of policies and procedures, inadequate safeguards for data, and lack of evidence for risk analysis.
Time and again, breach incidents have been sending out a strong warning message: Data security is a matter of serious concern.Safeguarding data is not possible without a comprehensive solution that helps you measure the extent of information security in your organization and the vulnerabilities you are exposed to through automated info security and compliance process. eGestalt’s SecureGRC comes with this capability. It provides end-to-end support for all your data protection needs, ensures that risk assessment is performed at regular intervals, and prevents any kind of breach from occurring.