News Feature | March 9, 2015

PHI Data Breaches Up 25%

Katie Wike

By Katie Wike, contributing writer

Data Security

A Redspin report finds PHI data breaches rose by 25 percent in 2014 and affected the records of nearly nine million patients.

A recently released report from Redspin shows PHI data breaches increased 25 percent from 2013 to 2014. Health IT Security reports that, just since the HITECH Act went into effect in 2009, 40 million patients have suffered a breach of their records. Even worse, this statistic does not include the 80 million that could have been compromised in the recent Anthem breach.

“From here on, all PHI breach statistics are going have to be reported as ‘pre- or post-Anthem,’” said Daniel W. Berger, President and CEO of Redspin in a press release. “It's that big. We wouldn't be surprised to see the costs of the Anthem breach exceed a billion dollars.”

The report summarizes its findings as follows:

  • 1,170 large breaches of protected health information since 2009
  • 40,862,852 patient health records affected by breach since 2009
  • 8,899,610 patient health records breached in 2014 in 164 incidents
  • 25.5 percent increase in the number of patient records breached year-over-year
  • 82.8 percent of the total records breached in 2014 resulted from the 5 largest incidents
  • 4,500,000 records breached in the single largest incident in 2014
  • 53.4 percent of patient records breached in 2014 resulted from hacking attacks
  • 30.7 percent of patient records breached in 2014 resulted from unauthorized access or disclosure
  • 22.5 percent of 2014 incidents involved paper
  • less than 30 percent of PHI breaches have involved a business associate each year from 2009-2014

“Whether due to insider threat, snooping, or negligence, reducing unauthorized access can only be prevented by a comprehensive security program – not a once a year risk assessment but an integrated program of policies, controls, technical safeguards, organizational accountability, enforcement, training, and leadership,” Redspin stated.

The report concludes providers must have comprehensive preventative measures in place to prevent breaches, but these measures must evolve as technology to surpass them will also evolve.

“HIPAA security risk assessments are only the tip of the iceberg, particularly for the providers who resist the idea that this scope of work needs to be technical,” the report notes. “It is not possible to adequately assess security risk without identifying real vulnerabilities and developing (and implementing) a remediation plan to address them.”