Major Breach Tally Surpasses 300 IncidentsOfficial List Shows 11.7 Million Individuals Affected
The biggest incident added in recent weeks, which involved RxAmerica and Accendo Insurance Co., affected about 175,000. In that case, a mail formatting error caused certain personal information to be visible in an envelope window (see: Mail Formatting Error Affects 175,000).
The Department of Health and Human Services' Office for Civil Rights lists breaches affecting 500 or more individuals dating back to September 2009. The list now includes about 49 incidents that occurred in 2011, affecting almost 3.4 million.
The theft or loss of various computer devices and media account for about 56 percent of all incidents on the tally. About 20 percent have involved a business associate.
The largest incident reported so far involved insurer Health Net and affected 1.9 million individuals. It stemmed from hard drives missing from a data center managed by IBM, its business associate. An executive at Health Net Oregon recently revealed that 130,000, rather than 124,000, residents of that state were affected (see:Health Net Breach Impact Grows). But the tally of the total number affected has not yet changed on the OCR list.
Breach NotificationOCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the interim final version of the HITECH Act breach notification rule took effect.
The rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents, defined as those affecting 500 or more individuals, must be reported to the Office for Civil Rights within 60 days. But breaches of information that's been encrypted using a specific standard do not have to be reported.
A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.
Breach Involving HIPAA AuditorOCR recently announced it had hired the consulting firm KPMG to conduct HIPAA compliance audits, with tests of the audits slated to begin soon (see:McAndrew Explains HIPAA Audits). OCR's breach tally shows KPMG, as a business associate, was involved in two related breach incidents last year, affecting a total of about 4,600 individuals. The incidents, stemming from the loss of a portable electronic device, occurred May 10, 2010, and affected patients at Saint Barnabas Medical Center and Newark Beth Israel Medical Center. The two New Jersey hospitals are part of Barnabas Health, formerly known as Saint Barnabas Health Care System.
In a notice on its website, that has since apparently been removed, the health system said an unencrypted flash drive lost by a KPMG employee may have contained some patients' names and information about their healthcare, but it did not contain Social Security numbers or financial information, according to several published reports, including one on PHIPrivacy.net.
Asked to comment on whether the incidents were considered before OCR hired KPMG for the audit project, Susan McAndrew, OCR's deputy director of health information privacy, said: "OCR cannot address KPMG's involvement with the breaches at Saint Barnabas as this case is currently under investigation."
Executives at KPMG declined to comment, citing client confidentiality concerns. Saint Barnabas Health Care System executives could not be reached for comment.
McAndrew provided HealthcareInfoSecurity with a statement on the auditor selection process:
"The award of the HIPAA audit contract was the result of HHS' usual rigorous, competitive process. Specific questions regarding the contract award are procurement-sensitive. OCR worked with the HHS Program Support Center through a GSA [General Services Administration] competitive procurement process to select KPMG to conduct the pilot HIPAA privacy and security audits on behalf of HHS.
"This process involved the posting of a solicitation describing the work to be conducted and required qualifications. PSC organized a panel to review and rank all technical proposals received and offeror qualifications by predetermined evaluation criteria. Evaluation criteria in the solicitation included responsiveness to the audit design requirements in the HHS statement of work, as well as past performance on other compliance audit programs. Negotiations were conducted, and an offer was made."