Health Breach Tally Hits 6.5 Million

Total Affected by Breaches Could Hit 8 Million Soon
Health Breach Tally Hits 6.5 Million
The federal list of major health information breaches included 240 incidents affecting 6.5 million individuals as of Thursday. But that number soon could grow substantially as a result of incidents that made headlines this week.

Not yet included on the list is a health information breach at New York City Health and Hospitals Corp. that may have affected as many as 1.7 million. That incident involved the theft of backup tapes from an unlocked, unattended truck. If the reported number of individuals affected holds up, the incident will be the largest on the federal tally so far.

Also not included is a breach that stemmed from a stolen computer at St. Francis Health System in Oklahoma, affecting 84,000.

Since Jan. 21, 15 incidents affecting a total of 457,000 have been added to the official tally, which is updated when federal officials confirm the details of each event.

As noted last month on HealthcareInfoSecurity.com, a spokesman for the Department of Health and Human Services' Office for Civil Rights said it's possible a breach incident in Puerto Rico that apparently affected about 400,000 individuals may be double-counted on the office's health information breach list. But so far, the office has not re-adjusted that tally.

Breach Statistics

Roughly 22 percent of all incidents on the list involve business associates, and more than half involve the theft or loss of computer devices.

The two most significant breach incidents added to the tally in recent week involved hacking incidents at clinics.

Seacoast Radiology in New Hampshire reported an incident that affected 231,000 individuals and involved hackers using a server to gain bandwidth to play a video game.

Ankle & Foot Center of Tampa reported a hacking incident that affected 156,000; a server containing its practice management system was accessed.

HITECH Act Mandate

The Office for Civil Rights began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the HITECH Act breach notification rule took effect.

Under the interim final version of the breach notification rule, breaches affecting 500 or more individuals must be reported to OCR within 60 days. A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected early this year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network