The Security Scrutinizer with Howard Anderson

Major Breaches: Progress in 2011?

Numbers Seem to Show a Downward Trend

If you take a close look at the healthcare information breach "wall of shame," you'll notice that maybe, just maybe, we're making some progress this year.

Since September 2009, The Department of Health and Human Services' Office for Civil Rights, carrying out a HITECH Act mandate, has been posting major health information breach incidents to its online list once it confirms all the details. So far, the list includes 288 major incidents affecting about 11 million Americans.

But as we reported this week, only 32 incidents that have occurred in 2011 have been posted to the list (see: 11 Million Affected by Major Breaches). And although this year's incidents have affected a total of about 2.7 million, just one incident - involving insurer Health Net and its business associate IBM - accounted for 1.9 million of those.

So (dare we say it?) it appears the wall of shame, as it builds awareness - and bad publicity - about breaches, may be motivating more organizations to launch breach prevention strategies. Fewer major incidents (those affecting 500 or more individuals) are being posted this year. Of course, that could change in the blink of an eye. But for now, it's good news, indeed.

The federal tally shows that about 210 major breaches occurred in 2010, affecting about 5.4 million. That's an average of 17.5 incidents per month. For the first three months of 2011, by comparison, the average is less than 9 incidents per month. (Of course, that average might change as federal authorities gather more information about more incidents).

Will that decline in breach incidents continue throughout this year, or will the tally ebb and flow? And will another mega-breach dramatically add to the total affected? We'll have to wait and see.

One thing we know for sure: The list confirms that the most common cause of breaches is the theft or loss of computer devices and media. Not hackers. Not grand conspiracies. Just unencrypted laptops, desktops, hard drives and other computer gear getting lost or stolen.

So it's time to think long and hard about whether patient information needs to be stored on any particular device. And it's time to encrypt stored information as well as e-mail. If more organizations take at least those steps, perhaps the trend toward fewer breaches will continue.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.