Breach Stats: Signs of Improvement?

2012 Breach Tally, So Far, Much Lower Than 2011

By Marianne Kolbasuk McGee, December 20, 2012. Follow Marianne @HealthInfoSec

Credit Eligible

• 
• 
• 

Only 13 major health data breaches affecting a combined total of 192,000 individuals have been added to the official government wall of shame tally since Sept. 21. The number of major incidents and individuals affected in 2012 appears - for now, at least - to be on a pace to be lower than in 2011.

But the tally for this year's breaches could change dramatically in the months to come because the Department of Health and Human Services' Office for Civil Rights continually adds incidents as it confirms the details. For example, it recently added a 2011 breach to the list. The tally only includes breaches affecting 500 or more individuals.

"I think there's some randomness in the breaches and numbers of individuals affected, so I wouldn't read too much into the statistics," says Kate Borten, principal of IT security firm The Marblehead Group. "The bad news is that breaches continue to happen, and in significant numbers. Also, remember that we don't know about breaches affecting fewer than 500 people, since they aren't posted on [the HHS] website."

Security consultant Tom Walsh offers a similar assessment. "Only time will tell if the decline in the rates of reported breaches are a sign that we are making progress," he says. "No organization wants to be fodder for 'lessons learned the hard way.' The very mention of certain healthcare organizations' names triggers the memories of huge breaches, fines and other bad press."

The Latest Numbers

The federal list shows that in 2011, nearly 150 major breaches affected 10.8 million individuals, including seven huge incidents that affected a combined total of about 9.9 million. By comparison, the partial tally for 2012 shows nearly 100 incidents affecting 2.2 million, with the five largest incidents affecting a combined total of 1.5 million.

The running breach tally, which dates back to September 2009, now includes 511 incidents affecting 21.4 million individuals.

Only nine breaches affecting 177,000 have been added to the list since Oct. 22 (see: Health Breach Tally Tops 500 Milestone). The largest incident added in recent weeks was a breach at Alere Home Monitoring involving the loss of an unencrypted laptop, which affected about 116,000 individuals.

Survey Findings

In light of highly publicized breaches, many healthcare organizations plan to take breach-prevention action next year. The 2012 Healthcare Information Security Today Survey, the complete results of which will soon be published on HealthcareInfoSecurity, shows that the top three breach prevention steps organizations will take in the coming year are:

• Stepped-up training on privacy and security issues;
• Implementing encryption of all mobile devices and removable media;
• Implementing audit tools to enhance detection of unauthorized access.

"I think those are great steps to take," Borten says. "For example, loss and theft of unencrypted devices and media with PHI [protected health information] continues to be a big issue. But more and more organizations that permit personally-owned devices and media to be used for work are finally requiring encryption and, further, are providing the encryption."

The survey also shows that the top information security priorities for the coming year are improving regulatory compliance; improving security awareness and education for physicians, staff, executives and board; and preventing and detecting breaches.

Educating employees and clinicians about data security is a vital step in preventing breaches, Walsh says. "Technical controls can only go so far to protect data," he notes. "We depend upon the users of technology to follow the rules and policies and not to circumvent the technical security controls."

To gain staff buy-in, hospitals, clinics and other organizations need to educate staff on regulatory requirements and breach risks, and then explain why security controls are in place, Walsh says. "It is important to remind individuals that they could be held personally liable - by federal or state authorities - for blatant violations that compromise personally identifiable information."

Biggest 2012 Breaches So Far

• 1
• 2

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec