With contributions of a few mega healthcare data breaches in 2013, the number of individuals affected now is more than twice the number in 2012. While three recent breaches that grabbed the headlines have not yet been added to the official 2013 tally, once the number of affected individuals is confirmed, the breach tally for 2013 could surge by almost a million.
The ‘Wall of Shame’, to which the Department of Health and Human Services’ Office for Civil Rights adds breaches affecting more than 500 individuals, shows that as on December 20th, more than 5.7 million individuals have been affected by over 130 health data breaches in 2013, as against 2.7 million affected by 160 breaches in 2012.
And what is noteworthy is that three large breaches are yet to be added to this federal tally. They include:
- The data breach reported by Horizon Blue Cross Blue Shield of New Jersey in November this year, where two unencrypted desktop computers were stolen from the company’s headquarters, affecting nearly 840,000 individuals.
- The malware breach reported by the University of Washington Medicine, affecting 90,000 individuals.
- The breach at Cottage Health System in California, which affected 32,500 patients who had their patient health information exposed on Google for 14 months because of a lapse in a business associate’s systems.
Out of the numbers included in the federal tally so far, more than 90 percent affected individuals have been victims of four large breaches including the July breach at an office of the Advocate Medical Group that affected 4 million individuals and resulted in a class action lawsuit; a breach in October at AHMC Healthcare, which involved two unencrypted laptop computers stolen from the administrative offices in California, affecting 729,000 individuals; a breach incident in May at Texas Health Harris Methodist Hospital Fort Worth, involving decades-old microfiche medical records, affecting 277,000 patients; and an incident reported in April at the Indiana Family and Social Services Administration, impacting 188,000 clients whose personal information was disclosed in mailings to other clients due to a programming error by a business associate.
It has been repeatedly noted that a large percentage of breaches involved business associates, and the most common cause for breaches has been loss/theft of unencrypted devices or media. Despite continued emphasis on the role of encryption in safeguarding patient data, most healthcare entities seem to be missing the point, and data breaches caused by lack of encryption continue to fill the ‘wall of shame’.
Moreover, with business associates becoming directly liable for HIPAA compliance, they are seen moving from a reactive to a proactive model for data security. It is only logical that with this shift, more data breach incidents will be identified and reported in the coming future.
How to Keep Breaches Away
By taking certain key steps, healthcare data breaches of all sizes can be prevented. Firstly, a thorough risk analysis is crucial to help identify security risks and threats looming over healthcare data. This can significantly help bringing down the possibility of a breach. Secondly, monitoring the practices of business associates and subcontractors can further improve the security posture of a healthcare entity. While modifying Business Associate agreements alone is not sufficient to prevent a breach, periodical review of their operations and ensuring their compliance with security standards are also essential to keep breaches at bay. And most importantly, data encryption is a crucial step in protecting healthcare data. Encrypting data can come a long way not only in avoiding breach incidents, but also in preventing legal action in the event of a breach.
This is where comprehensive security solutions such as Aegify Security Posture Management and Aegify SecureGRC prove extremely helpful. They address all security concerns with an in-built framework that follow all key steps necessary to safeguard healthcare information, thus eliminating the possibility of a breach incident.