PHI Breaches Soared By 138% In 2013

By Christine Kern, contributing writer

Redspin Breach Report Sees Personal Data Breaches Skyrocket

A breach report from healthcare IT security firm Redspin reveals startling insights to HIPAA breaches in the past year. For example, 29.3 million patient health records have been compromised in a total of 804 HIPAA breaches since 2009, and last year alone there was a 138 percent rise in the number of healthcare records breached.

By the numbers, the report reveals that almost 8 million records were breached in 2013; with 85.4 percent of the total records breached in 2013 part of the five largest incidents. The largest single incident involved a compromise of over four million records.

Further, 83.2 percent of the patient records breached in 2013 resulted from theft, while 22.1 percent were the result of unauthorized access. Of the 2013 incidents, 35 percent were due to the loss or theft of an unencrypted laptop or other portable electronic device, and 20 percent of the PHI breaches have involved a business associate each hear from 2009-2013.

And yet, as Healthcare IT News reports, these figures are only part of the picture. Industry officials claim that many healthcare breaches still go unreported, and many breach offenders are not publicly revealed. These numbers are further clouded because breaches involving the health records of fewer than 500 individuals are not required to be publicly reported.

Addressing the 2012 Boston Privacy and Security Forum, Lisa Gallagher, senior director of privacy and security for HIMSS, shared that between 40 and 45 million patient records have actually been compromised. This is far higher than the reported numbers. She added that the number can’t be confirmed, since the data isn’t all there, but that it is a more accurate number based on actual healthcare organizations’ reporting.

Almost 5,500 of the 90,000 complaints HHS' Office for Civil Rights received in 2013 went unresolved. And although the office boasts a 94 percent success rate for resolving cases, the statistics on “success” might be skewed. As many as 53,000 of those cases may have been closed on technicalities, because either OCR lacked jurisdiction, or the complaint was untimely or withdrawn, not because a HIPAA violation did not occur.

Out of the more than 90,000 HIPAA breach cases OCR has received since 2003, only 17 have resulted in fines thus far.

In an August interview with Healthcare IT News regarding the new HIPAA rules, HHS' Office for Civil Rights Director Leon Rodriguez said those numbers are expected to go up, especially with the initiation of the official audit program this year. He concluded, "I think all these (17) cases really powerfully articulate those expectations and the fact that we will be holding people accountable."

The most significant mistake by HIPAA-covered entities, he said, was inadequate risk analysis by both business associates and covered entities alike concluding that it’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis.”

Ultimately, the Redspin report agreed with Rodriguez’ assessment, and concluded that encryption of sensitive data must be the wave of the future, even if it is not required by the CMS. They concluded the report with a list of five steps to ensure against data breaches:

• conduct an annual HIPAA security risk analysis
• inoculate yourself by encrypting data-at-rest
• conduct frequent vulnerability assessments and penetration testing
• invest in the security awareness of your workforce
• engage with your business associates