- Last year, 164 PHI data breaches were reported to the Secretary of Health & Human Services (HHS) Office of Civil Rights (OCR), according to the fifth annual Redspin data breach report. That is a 25 percent increase over 2013 and approximately 9 million patient records were affected.
Since the inception of the 2009 HITECH Act, over 40 million Americans suffered a breach of their personal health information, the report found, from a total of 1,170 data breaches. This information did not include data from the recent Anthem data breach, where over 80 million patient records were potentially affected.
“From here on, all PHI breach statistics are going have to be reported as ‘pre- or post-Anthem,’” Redspin President and CEO Daniel W. Berger said in a statement. “It’s that big. We wouldn’t be surprised to see the costs of the Anthem breach exceed a billion dollars.”
Just over 50 percent of the PHI data breaches in 2014 were caused by hacking attacks, according to Redspin, while 30 percent were due to unauthorized access or disclosure. Moreover, the five largest data breaches in 2014 accounted for 82.8 percent of the total reported for the year. This is comparable to 2013, where the five largest incidents accounted for 85.4 percent of the overall reported.
A major difference between the PHI data breaches reported in 2013 and those in 2014, was the leading cause in incidents. The theft or loss of unencrypted computing devices, such as laptops, was the most harmful issue for 2013. However, one hacking attack accounted for over 50 percent of the compromised records in 2014.
“Large scale breaches will continue to dominate the statistics and headlines for one reason: PHI is massively stored on network servers, storage systems, and data back-up,” stated the report. “There might as well be a target on the industry’s back.”
Theft and unauthorized access of devices accounted for 60.9 percent of all reported incidents last year, the report showed. Even though hacking led to the majority of patient records being affected, theft and unauthorized access combined to account for 100 out of the 164 reported incidents.
Stolen laptops and other portable media devices were still a leading cause of PHI data breaches, according to Redspin. They accounted for 25 percent of the total number of incidents last year, while paper was tied to 22 percent of the total number of data breaches.
“Whether due to insider threat, snooping, or negligence, reducing unauthorized access can only be prevented by a comprehensive security program – not a once a year risk assessment but an integrated program of policies, controls, technical safeguards, organizational accountability, enforcement, training, and leadership,” Redspin stated.
Moreover, technology is ever-evolving, along with the IT threat landscape itself, according to the report. While there is no one simple answer to curb health IT security risk concerns, healthcare organizations need to have comprehensive preventative measures in place, Redspin concluded. Hackers will likely continue to target health records, and more hospitals will likely face data breaches in the coming year.
“HIPAA security risk assessments are only the tip of the iceberg, particularly for the providers who resist the idea that this scope of work needs to be technical,” the report said. “It is not possible to adequately assess security risk without identifying real vulnerabilities and developing (and implementing) a remediation plan to address them.”