Skip to content Skip to navigation

Large-Scale Data Breaches Have Increased, but Fewer Patients Affected, Report Says

February 14, 2013
by Rajiv Leventhal
| Reprints

According to a report from Carpinteria, Calif.-based Redspin Inc., a provider of IT security assessments, the number of large-scale health data breaches increased from 2011 to 2012, but the number of patients affected by such breaches decreased last year. The report, titled “Breach Report 2012, Protected Health Information,” examined a total of 538 incidents affecting over 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009.

The report found that the number of health data breaches affecting 500 or more individuals increased from 121 in 2011 to 146 in 2012. However, the number of patient records affected by such breaches decreased from 10.6 million in 2011 to 2.4 million in 2012, according to the report.

Over half of all breaches (57 percent) have involved "business associates," third-party vendors that need access to protected health information (PHI) to provide their services to covered entities. "The recently-published HIPAA Omnibus Rule now requires business associates to comply with HIPAA privacy and security regulations directly and extends civil liability to BAs for PHI breach," said Daniel Berger, Redspin’s president and CEO. "This is a major regulatory change. But health providers should not just assume all BAs will comply—they need to be proactive, working closely with their business partners to build a secure 'chain of PHI custody.'"

Redspin also reported that the lack of encryption on laptops and other portable electronic devices is the root cause of over one-third of PHI breaches (38 percent). The company suggested that encrypting portable devices be more widely implemented and enforced given the surge in the use of personally-owned mobile devices at work.

Redspin warned that personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes—even held for ransom. Although there has been a relatively low incident rate of hacking among all PHI breaches to date, Berger said that last year's attack on the Utah Department of Health "may be the canary in the coal mine."



OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.

Kansas Health Information Network Expands its Network across State Lines

The Kansas Health Information Network (KHIN) has announced that it is expanding its horizons, and is now connected to Health Information Exchange Texas (HIETexas).

CMS Selects Vendor to Modernize Critical Identity Infrastructure

The Centers for Medicare & Medicaid Services (CMS) last week announced it had selected San Francisco-based vendor Okta to enhance the security of its information systems.

Mayo Clinic, ASU Partner for Medical Education, Healthcare Innovation

The Mayo Clinic and Arizona State University have announced a partnership centered on transforming medical education and healthcare in the U.S. through a variety of innovation efforts.

CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.