As indicated in a July 8, 2010 press briefing, the Office of Civil Rights (OCR) of the United States Department of Health & Human Services (HHS) has updated its HIPAA breach notification webpage. This is the webpage where OCR is posting breaches of unsecured Protected Health Information (PHI) affecting 500 or more individuals. The format includes brief summaries of the incidents reported to the HHS Secretary that OCR has investigated and closed. The format also allows users to search and sort the posted breaches by entity, state, date, number of individuals affected, type of breach, and location of breached information. There are currently 107 breach notifications posted, all occurring since September 9, 2009. The breaches reported thus far indicate that theft ranks #1 as the type of activity leading to a breach. A quick run-down of the stats reflect the following:
Type of breach: 67 from theft (8 of which involved unauthorized access), 10 from loss, 7 from unauthorized access, 3 from hacking/IT incident
Location of breached information: 34 from laptops (32 thefts and 2 lost), 22 from paper records (4 thefts, 4 losses, 4 improper disposals), 15 from desktop computers (13 thefts); 11 from portable devices (10 thefts), 9 from network servers (4 thefts, 3 hackings), 6 from e-mail (1 phishing scam, 1 misdirected, 1 theft)
The following are the largest breaches reported thus far on the OCR website involving over 100,000 individuals:
- 1,220,000; stolen laptop; AvMed, Inc.
- 998,442; stolen hard drive; Blue Cross & Blue Shield.
- 480,000; hacking/IT incident of a network server;Wellpoint, Inc.
- 344,579; type and location of breached information listed as “other”; Affinity Health Plan, Inc.
- 180,000; theft of portable electronic device; Emergency Healthcare Physicians, Ltd. and its Business Associate, Millennium Medical Management Resources, Inc.
- 130,495; loss classified as “other”; Lincoln Medical and Mental Health Center, and its Business Associate, Siemens Medical Solutions, USA, Inc.
The OCR’s published reports relate only to closed investigations of reported incidents. There have been an increasing number of reported breach incidents in the media involving health care providers or health plans, some of which do not involve PHI but do involve other sensitive information that can be used to commit identify theft, such as social security numbers. Incidents not involving PHI would not be reportable to OCR and not published on the OCR Breach Publication Webpage.
A significant takeaway from OCR’s published breach reports is that theft or loss of laptops and portable devices, technology that is readily portable, should be a top priority for implementing appropriate technologies and methodologies to secure PHI on such devices, namely encryption or appropriate destruction, as applicable. Appropriate encryption or destruction of PHI is deemed sufficient under current regulations and guidance to render PHI unusable, unreadable or indecipherable. Lost or stolen PHI that has been encrypted or destroyed according to HHS standards does not have to be reported to OCR. Note that a breach of PHI that is protected only by firewalls and access controls will be deemed a reportable breach if it involves 500 or more individuals. Failure to implement appropriate security policies, technologies and methodologies to protect PHI can be extremely costly for an organization when a significant loss of PHI occurs, considering the potential fines and penalties, plus notification and identify theft protection costs. The costs of notifying hundreds of individuals whose PHI is the subject of the breach can be significant in view of postage, stationery, and staff resources to mail the notices as well as the costs of publication with required news outlets.
To read more about the technologies and metholodies that OCR has deemed appropriate to render PHI unusable, unreadable or indecipherable, consult OCR’s Breach Notification Interim Final Regulation (74 FR 42740), published August 2009. To read more about breach notification, go to the OCR’s webpage on Breach Notification and click on the links at the bottom of that page.