Updating the Breach ScorecardRecent Incidents Dramatically Expand Scope of Impact
A breach affecting an estimated 4.9 million beneficiaries in the TRICARE military health program, as well as a Nemours children's health system breach affecting 1.6 million, have not yet been added to the Department of Health and Human Services' Office for Civil Rights' tally of major breaches. Incidents are added once OCR investigators confirm the details, so the official totals for those affected in the TRICARE and Nemours incidents could differ from the numbers reported by the organizations so far.
As of Oct. 24, the federal "wall of shame" lists 345 breach incidents affecting almost 12 million individuals. Fifteen incidents affecting about 127,000 have been added to the list since Sept. 22.
OCR has been tallying major breaches - those affecting 500 or more individuals - since Feb. 22, 2010, for incidents dating back to Sept. 23, 2009, when the HIPAA breach notification rule, mandated under the HITECH Act, took effect.
The Largest BreachesIf the numbers stand up, the TRICARE incident will be the largest reported so far, in terms of individuals affected, and the Nemours incident will rank fourth.
In the TRICARE incident, backup tapes were stolen from the parked car of an employee of a business associate, Science Applications International Corp. In the Nemours incident, a locked cabinet containing three backup tapes is missing from a facility.
Other incidents in the top five are:
- Health Net: The insurer notified 1.9 million individuals nationwide that their healthcare and personal information may have been breached in January as a result of nine server drives discovered missing from a California data center managed by IBM.
- The New York City Health and Hospitals Corp.: This breach, which affected 1.7 million individuals, stemmed from computer backup tapes that were stolen in December 2010 from a business associate's truck.
- AvMed Health Plans: This December 2009 breach was caused by the theft of an unencrypted laptop, which may have included information on more than 1.2 million current and former members.
All of the top five incidents have involved the loss or theft of unencrypted computers or storage media. Overall, more than half of incidents now on the federal tally have involved such losses or thefts.
Under the HIPAA breach notification rule, breaches of information that's been encrypted using a specific standard do not have to be reported. As a result, many experts advise healthcare organizations to encrypt data on mobile devices and media.
Security consultant Rebecca Herold says recent breach incidents illustrate the value of encryption, especially for backup tapes. ""I still hear far too many people say, 'Bah, that's not necessary! Who's going to have any type of equipment to actually read the tapes?' Well, guess what, you can check eBay, Craig's List and other online shops and find such equipment," Herold says. "Plus, there are services out there that will convert the data on such tapes to other types of digital storage for basically anyone who asks."
Based on the current federal tally, more than 20 percent of all incidents have involved business associates. And the top three incidents, TRICARE, Health Net and New York City Health and Hospitals Corp., all involved business associates. These three incidents alone potentially could represent more than 45 percent of all individuals affected by breaches since the notification rule took effect.
"Organizations are going to have to become more aggressive with their business associate agreements and ask for proof that they've been audited by a third party and that they are, indeed, using security controls and are measuring the effectiveness of those controls," says Terrell Herzig, information security officer at UAB Health System in Birmingham, Ala.
The Department of Defense recently joined with two other agencies in issuing a proposed rule calling for government contractors to ensure their staff receives proper privacy training before handling sensitive information (see: Training Proposed After TRICARE Breach).
The HIPAA breach notification rule requires healthcare organizations to notify those affected by breaches of any size. Major incidents must be reported to the Office for Civil Rights within 60 days. Smaller breaches must be report to the office annually.
A final version of the HIPAA breach notification rule could further clarify exactly what types of incidents need to be reported. It's expected later this year as part of an "omnibus" package of several rules (see: HITECH Mandated Regs Still in Works). The interim version now in effect contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.