According to a report from Carpinteria, Calif.-based Redspin Inc., a provider of IT security assessments, the number of large-scale health data breaches increased from 2011 to 2012, but the number of patients affected by such breaches decreased last year. The report, titled “Breach Report 2012, Protected Health Information,” examined a total of 538 incidents affecting over 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009.
The report found that the number of health data breaches affecting 500 or more individuals increased from 121 in 2011 to 146 in 2012. However, the number of patient records affected by such breaches decreased from 10.6 million in 2011 to 2.4 million in 2012, according to the report.
Over half of all breaches (57 percent) have involved "business associates," third-party vendors that need access to protected health information (PHI) to provide their services to covered entities. "The recently-published HIPAA Omnibus Rule now requires business associates to comply with HIPAA privacy and security regulations directly and extends civil liability to BAs for PHI breach," said Daniel Berger, Redspin’s president and CEO. "This is a major regulatory change. But health providers should not just assume all BAs will comply—they need to be proactive, working closely with their business partners to build a secure 'chain of PHI custody.'"
Redspin also reported that the lack of encryption on laptops and other portable electronic devices is the root cause of over one-third of PHI breaches (38 percent). The company suggested that encrypting portable devices be more widely implemented and enforced given the surge in the use of personally-owned mobile devices at work.
Redspin warned that personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes—even held for ransom. Although there has been a relatively low incident rate of hacking among all PHI breaches to date, Berger said that last year's attack on the Utah Department of Health "may be the canary in the coal mine."