- According to Redspin’s 2013 Breach Report, 804 large breaches of protected health information (PHI) have affected more than 29.2 million patient records and were reported to the Secretary of Health and Human Services (HHS) since the inception of the 2009 HITECH Act (Health Information Technology for Economic and Clinical Health).
The report’s results were broken down into a few categories: Data breach growth since 2010, big data breaches, theft tactics and trends, and the impact of the HIPAA Omnibus Rule on covered entities and business associates (BAs).
Breaches still increasing
In 2013, according to Redspin, there were 199 large PHI breaches that affected 7,095,145 patients and were reported to the Office of Civil Rights (OCR). In 2012, the number was 2,983,984, so 2013′s numbers represent a 137 percent increase in the number of breached healthcare records. Though the figures certainly stand out, there were a few different reasons for this growth. First, many organizations were dealing with Stage 1 of the CMS EHR Meaningful Use Incentive program and security can get lost in the weeds during implementation. And, Redspin said, organizations were due for an uptick in breaches because OCR did not continue its audit program in 2012
The five largest PHI data breaches in 2013 accounted for 85.4 percent of the total reported for the year. The common thread among these breaches was that they involved storage systems, EHR applications, servers, and data backup. These were the biggest breaches, all of which HealthITSecurity.com reported on last year:
- Advocate Health and Hospitals (4,029,930 patients affected in a desktop computer theft)
- Horizon Healthcare Services (839,711 affected in a laptop theft)
- AHMC Healthcare Inc. 729,000 Laptop Theft
- Texas Health Harris Methodist Hospital (277,014 impacted by improper disposal of microfiche)
- Indiana Family and Social Services Administration (FSSA) (187,533 affected by inadvertent exposure)
Theft, and often human error, was the largest cause of PHI breach in 2013 by an overwhelming margin. Stolen devices, according to the report, comprised more than 45 percent of incidents reported. Whether it’s someone leaving their laptop in their car or a thumb drive out in the open, theft and physical security continues to be a huge issue in healthcare.
HIPAA Business Associates
Although the number of breach incidents involving a BA in 2013 stayed the same, there was a dramatic drop in the quantity of affected patient records. From late 2009 through the end of 2012, the report said, 57 percent of all patient records in large-scale PHI breaches involved a business associate. And in 2013, BA breaches consisted of only 10.2 percent of all records affected.
Much of the final Omnibus Rule followed the interim regulations enacted in 2010-2011 after the passing HITECH. Unfortunately no interim rule regarding BAs was ever published. So it was indeed a regulatory sea change once Omnibus set a HIPAA compliance date for BAs and their subcontractors of September 23, 2013. They can now be held directly, civilly, (and in rare cases) criminally liable for PHI breach and they must be fully HIPAA compliant.
Redspin went on to offer these tips to increase breach awareness and reduce incidents:
1. Conduct an Annual HIPAA Security Risk Analysis
2. Encrypt Data-At-Rest
3. More Frequent Vulnerability Assessments and Penetration Testing
4. Invest in the Security Awareness of Your Workforce
5. Engage with BAs