Damage from Healthcare Data Breaches Spreading

Almost twice as many people were affected by healthcare data breaches in 2011 as in 2010, according to a report released on Wednesday. The total number of breaches dropped by 32% to 145 but the number of people affected by those breaches doubled to 10.8 million.

The drop in occurrences reflects increased security controls and investigation procedures put in place to uncover data breaches, explains Tyler Quinn, a CPA who co-authored the report for Kaufman, Rossin, and Co., a Miami-based accounting and business consulting firm.

The increase in the number of people affected by breaches signals that individual incidents are hitting wider targets. The latest tally includes the loss of a single back-up tape containing five million records.

The findings are based on a review of breaches reported to have occurred in 2011according to the Department of Health and Human Services’ website. The self reporting of breaches is a requirement for businesses under the Health Information Technology for Economic and Clinical Health Act (HITECH).

The data shows that California had the highest number of breaches in 2011 with 15, followed by Texas (11), Illinois (8), Florida (7), and New Jersey (7).

The causes are numerous and range in severity. Theft is by far the most common, accounting for more than half of all breaches:

• Theft — 52%
• Unauthorized access —22%
• Loss 11%
• Hacking —6%
• Improper disposal —5%
• Unknown —3%
• Other —1%

Breaches that involved the loss of healthcare data affected the most individuals—6.1 million. Theft affected 2.4 million, unknown cause affected 1.9 million, and loss affected 1.2 million. Unauthorized access, hacking, improper disposal and other combined affected about 464,000 individuals.

The association between laptop computers and healthcare data breaches seems obvious, but access to other portable electronic devices such as thumb drives, backup tapes, CDs, DVDs, and X-Ray films accounted for 28% of the breaches and affected 8.2 million people.

This category of information assets is expected to continue to pose a risk due to the mobility and small size of the devices, which makes them more likely to be lost or stolen, the report says.

As protection, healthcare organizations should evaluate if encryption is applied and consider transferring data via a cloud provider.

Click here to view the article online.