The tally of healthcare information breaches seems to be steadily increasing despite security regulations and associated legal action. The breach tally is soon to exceed 20 million once three recent breach incidents are added. With 410 incidents affecting nearly 19.2 million individuals since September 2009, the breach tally is now already at a record high. As of April 24th this year, the breach list includes four new breaches reported in 2012. These four breach incidents have affected a total of 31,000 individuals. However, these apart, there are three significant breach incidents which have not yet been included in the tally:
- A hacking incident at Utah Department of Health which affected 780,000 individuals including Medicaid clients, Children’s Health Insurance Plan recipients, etc.
- The Emory Healthcare breach incident which involved 10 missing computer disks, affecting 315,000 surgical patients
- A breach incident involving an ex-employee at South Carolina Department of Health and Human Services, where the employee is said to have transferred confidential patient information to his personal email account. This breach has affected 228,000 Medicaid recipients.
Breach incidents are added to the ‘Wall of Shame’ by the Department of Health and Human Services’ Office of Civil Rights following an investigation of the breach incidents to confirm the details. This list tracks the breaches which have affected 500 or more individuals since late September 2009 when the breach notification rule mandated by the HITECH Act came into effect.
It has been noted that nearly 55 percent of all major breaches reported since September 2009 have involved lost or stolen unencrypted electronic devices or media, and 7 percent involve hacking attacks. Although hacking attacks have been relatively rare in comparison to stolen or lost unencrypted devices, they are becoming more common and are therefore a growing cause for concern. The breach at Utah Department of Health is by far the largest of 30 hacking incidents on the list of major breaches.
Rebecca Herold of Rebecca Herold & Associates is of the opinion that this is an eye-opener to all business leaders and organizations that there are hackers who keep an eye on systems that they view as prime targets that can yield huge goldmines of data. It is therefore important to find ways to prevent hacker attacks by identifying and closing loopholes, which may have enabled the hacking incident. For instance, the Utah incident was possible because there was a shortcoming in protecting the state server. There was a configuration error at the authentication level, which allowed the hacker to circumvent the security system. Since such mistakes are not unlikely in the healthcare industry, it is important to consider technical means to monitor health information and to ensure that security controls are uniformly applied and maintained throughout the entity.
One such technical means to monitor and protect health information is to adopt a comprehensive security and compliance solution like SecureGRC which provides complete security to the data in an organization. It monitors the movement of information and controls access at all levels. With periodic risk assessments and capabilities for data encryption, SecureGRC offers everything that an organization needs to stay secure and compliant, and steer clear of breaches of any nature.