As of the July 4th holiday weekend, the Office for Civil Rights (OCR) has updated again its Web site listing of breaches affecting 500 or more individuals. As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980. Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total. This is the first of three postings that analyzes the data from these 107 breaches. This posting (I) covers electronic breaches, the next posting (II) covers hard copy (paper) breaches, and the final posting (III) looks at the prevalence of business associate involvement.
Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009. The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22. Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper) form and 75% in various electronic forms. Of the electronic breaches, which included several in multiple electronic forms, 34 involved laptops, 15 desktops, 11 portable devices, 9 servers, and the remaining 11 miscellaneous forms (2 hard disks, 2 computers (not otherwise identified), 2 backup tapes, 2 electronic medical records (EMRs), 2 other (not identified), and 1 CD).
Of the 75 electronic breaches, 58, or 77%, involved theft, and 11, or 15%, involved unauthorized access, with 7 of those 11 also reported in association with theft. There were six reported losses, or 8%, with 2 of those 6 also reported in association with theft. There were four reported hacking incidents, or 5%, with 1 of those 4 also reported in association with unauthorized access. Finally, there were 6, or 8%, defined as other, with 1 of those 6 also reported in association with theft.
Of the 34 breaches involving a laptop, 32, or 94% involved a theft, and the remaining 2 breaches, or 6%, involved a loss. Of the 11 breaches involving a portable device, 10, or 91%, involved a theft, with one, or 9%, a loss. Whether a theft or loss, the evidence from the growing number of publicly reported breaches is that portable computers and devices must be encrypted to secure protected health information, in accordance with the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 Federal Register 42742-42743) in order to avoid the growing costs to breaching entities of complying with provisions of the breach notification rule, reputational harms to those entities, and financial and inconvenience harms to affected individuals.