• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

OCR Reports 107 Breaches Affecting Over 4 Million Individuals (I)

July 6, 2010 American Recovery and Reinvestment Act, Enforcement, Health IT and HITECH, Privacy, Security No Comments

As of the July 4th holiday weekend, the Office for Civil Rights (OCR) has updated again its Web site listing of breaches affecting 500 or more individuals.  As of July 2, 2010, there were 107 breaches listed that were reported to have occurred between September 22, 2009 and June 11, 2010. Individuals affected by these publicly listed breaches totaled 4,086,980.  Six of the 107 breaches, or 5.6% of the total, affected 3,353,627 individuals, or 82% of the total.  This is the first of three postings that analyzes the data from these 107 breaches.  This posting (I) covers electronic breaches, the next posting (II) covers hard copy (paper) breaches, and the final posting (III) looks at the prevalence of business associate involvement.

Public listing of such breaches is required by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that was enacted as part of the American Recovery and Reinvestment Act of 2009.  The breach list has been on the OCR Web site since February 23, 2010, the day after OCR began enforcement of breach notification for breaches that occurred on or after February 22.  Excluding seven breaches that were not identified as to location, 25% involved breaches of protected health information (PHI) in hard copy (paper) form and 75% in various electronic forms.  Of the electronic breaches, which included several in multiple electronic forms, 34 involved laptops, 15 desktops, 11 portable devices, 9 servers, and the remaining 11 miscellaneous forms (2 hard disks, 2 computers (not otherwise identified), 2 backup tapes, 2 electronic medical records (EMRs), 2 other (not identified), and 1 CD).

Of the 75 electronic breaches, 58, or 77%, involved theft, and 11, or 15%, involved unauthorized access, with 7 of those 11 also reported in association with theft.  There were six reported losses, or 8%, with 2 of those 6 also reported in association with theft.  There were four reported hacking incidents, or 5%, with 1 of those 4 also reported in association with unauthorized access.  Finally, there were 6, or 8%, defined as other, with 1 of those 6 also reported in association with theft.

Of the 34 breaches involving a laptop, 32, or 94% involved a theft, and the remaining 2 breaches, or 6%, involved a loss. Of the 11 breaches involving a portable device, 10, or 91%, involved a theft, with one, or 9%, a loss.  Whether a theft or loss, the evidence from the growing number of publicly reported breaches is that portable computers and devices must be encrypted to secure protected health information, in accordance with the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 Federal Register 42742-42743) in order to avoid the growing costs to breaching entities of complying with provisions of the breach notification rule, reputational harms to those entities, and financial and inconvenience harms to affected individuals. [20100702]

Tags: 4 millionaffected individualsAmerican Recovery and Reinvestment Act of 2009August 24 2009 Guidancebackup tapebreachbreach notification rulebreachesbusiness associateCDcomputerdesktopelectronic formelectronic medical recordEMRencryptedfinancial harmshacking incidenthard copyhard diskHealth Information Technology for Economic and Clinical Health ActHITECH ActJuly 4thlaptopslossOCROCR Web siteOffice for Civil RightspaperPHIportable deviceprotected health informationreputational harmssecure protected health informationservertheftunauthorized access
No Comments
Share
0

You also might be interested in

five steps to HIPAA compliance

Five Steps to HIPAA Security Compliance

Oct 16, 2013

The health insurance portability and accountability act has set various[...]

The HIPAA Privacy Rule’s Right of Access and Health Information Technology

Jan 19, 2009

U.S. Department of Health and Human Services, Office for Civil[...]

HIPAA Final Rule: Genetic Information Nondiscrimination Act: Underwriting Prohibitions

Feb 18, 2013

February 18, 2013.  Today, we examine underwriting prohibitions as they[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next