Tally of Major Breaches Ever-Changing

Federal HITECH Breach List Often Adjusted
Tally of Major Breaches Ever-Changing
Those using the federal list of major health information breaches to keep score of how many individuals have been affected must keep in mind that the list is revised as investigations continue.

For example, as of Jan. 21, the total number of individuals affected by breaches, according to the list, stood at just over 6 million, down from 6.3 million a month earlier. The reason? The tally for one incident was slashed dramatically after an investigation.

In addition, a spokesman for the Department of Health and Human Services' Office for Civil Rights says that it's possible another incident in Puerto Rico that apparently affected about 400,000 may be double-counted on the office's health information breach list. That could lead to another adjustment in the running-total in the weeks ahead.

Breach Incident Investigation

As reported earlier at HealthcareInfoSecurity.com, a health information breach incident involving Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan initially was estimated to have potentially affected more than 280,000 individuals. But now, the OCR tally indicates 808 were affected by the incident, which involved the loss of an unencrypted flash drive.

"The covered entity's forensic analysis of this incident concluded that that number originally reported was incorrect, and that, in fact, only 808 individuals were at risk as a result of this incident," the OCR spokesman says.

Meanwhile, OCR is continuing to investigate whether the Puerto Rico breach incident is double-counted in its tally. A covered entity, the Puerto Rico Department of Health, and its business associate, Triple-S Salud Inc., apparently submitted three different reports for that one incident, the OCR spokesman says.

For now, the OCR breach list, by including all three reports, reflects a total of 806,000 individuals affected. "Eventually we may count these three for just a total of 400,000," the spokesman says. "It's complicated as these reports are in Spanish and our investigators have been working to understand the business associate relationships and what transpired."

As reported earlier, Triple-S Management Corp., a holding company that runs Blue Cross and Blue Shield plans and serves as a government contractor, said in a recent 10-Q securities filing that a competitor informed it that "certain of our competitor's employees" accessed a database without permission Sept. 9-15, 2010, in a breach incident affecting 400,000. Triple-S Management is the parent company of Triple-S Salud.

225 Breach Incidents

As of Jan. 21, the federal tally of health information breaches affecting 500 or more individuals lists a total of 225 incidents. Twelve new cases affecting about 28,000 have been reported since Dec. 22. Roughly 22 percent of all incidents on the list involve business associates, and about 57 percent involve the theft or loss of computer devices.

OCR began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the HITECH Act breach notification rule took effect.

Under the interim final version of the breach notification rule, breaches affecting 500 or more must be reported to OCR within 60 days. A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected to be revealed early this year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.

Attorney Kathy Roe predicts that the final HITECH breach notification rule likely will not eliminate the controversial harm standard, but instead will refine the standard to better define how to determine whether a breach represents a significant risk of harm and merits reporting (See: HIPAA Enforcement: A 2011 Priority?).

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network