Health and Human Services (HHS) made its first annual report to Congress last week regarding the number and nature of breaches reported to the Office of Civil Rights (OCR) since the effective date of HITECH as is required by the HITECH Act. HHS also submitted information as to the actions taken by the reporting entities in response to those breaches.

From September 23, 2009 to December 31, 2010, over 30,000 healthcare data breaches have been reported to OCR affecting more than 7.8 million individuals. The report separates breaches into each calendar year and numbers affected. For the reporting months of 2009, 45 healthcare data breaches affecting more than 500 people (large breaches) were reported with covered entities notifying approximately 2.4 million individuals affected by these large breaches. For breaches involving fewer than 500 people, OCR received 5,521 reports during the 2009 reporting months affecting approximately 12,000 people. For the calendar year 2010, 207 large breaches affecting 5.4 million individuals were reported to OCR and over 25,000 reports of smaller breaches involving more than 50,000 people were reported.

Cause of breaches

According to the report, the most common cause of the large breaches was theft for both 2009 and 2010. Incidents of theft of paper records or electronic media affected over 4.4 million people. Many of these thefts occurred on the premises of the covered entities with theft of desktop computers, laptops, and portable electronic devices such as smart phones and flash drives being the most common. In 2009, the next most common cause was intentional unauthorized access to, use or disclosure of protected health information (PHI), such as phishing, employee misuse of credit card information, and network hacking. In 2010, intentional unauthorized access was the third most common cause but included hacking, and employees accessing information for personal gain. Human error and loss of electronic media or paper records containing PHI rounded out the most common causes for each year. In 2010, the second most common cause was loss of electronic media or paper records containing PHI mostly through portable electronic devices, including back-up tapes, compact discs, memory cards, flash drives and smart phones. Several of these involved breaches on the part of a business associate.

HHS also describes the most commonly reported remedial action taken by the covered entities in response to the larger breaches:

  • Revising policies and procedures
  • Improving physical security with new security systems or relocation of equipment and records to a secure area
  • Training/retraining of workforce members
  • Free credit monitoring
  • Encryption
  • Imposing sanctions on workforce members
  • Changing passwords
  • Performing new risk assessments
  • Revising business associate agreements to protect confidential information more explicitly

To date, of the 252 larger breaches reported, OCR has closed approximately 76 of these cases, where through investigation, OCR has determined that the covered entity properly complied with the breach notification requirements and that the corrective actions taken appropriately addressed the underlying cause of the breach so as to avoid future incidents and mitigated the harm to the affected parties. In the remaining 176 cases, OCR continues to investigate and work with the covered entities to ensure appropriate remedial action is taken.

In review of this report, it is clear that OCR will investigate, in detail, the large reported breaches. Since theft and loss of protected health information continue to be the most common causes of healthcare data breaches, covered entities should assess their physical security around protected health information and ensure that electronic devices, including computers, laptops, smart phones, and flash drives, are encrypted. Finally, business associates agreements should be scrutinized to ensure that covered entities are ensuring that their business associates are compliant and accountable for security of PHI.