Large-Scale Data Breaches Have Increased, but Fewer Patients Affected, Report Says | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Large-Scale Data Breaches Have Increased, but Fewer Patients Affected, Report Says

February 14, 2013
by Rajiv Leventhal
| Reprints

According to a report from Carpinteria, Calif.-based Redspin Inc., a provider of IT security assessments, the number of large-scale health data breaches increased from 2011 to 2012, but the number of patients affected by such breaches decreased last year. The report, titled “Breach Report 2012, Protected Health Information,” examined a total of 538 incidents affecting over 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009.

The report found that the number of health data breaches affecting 500 or more individuals increased from 121 in 2011 to 146 in 2012. However, the number of patient records affected by such breaches decreased from 10.6 million in 2011 to 2.4 million in 2012, according to the report.

Over half of all breaches (57 percent) have involved "business associates," third-party vendors that need access to protected health information (PHI) to provide their services to covered entities. "The recently-published HIPAA Omnibus Rule now requires business associates to comply with HIPAA privacy and security regulations directly and extends civil liability to BAs for PHI breach," said Daniel Berger, Redspin’s president and CEO. "This is a major regulatory change. But health providers should not just assume all BAs will comply—they need to be proactive, working closely with their business partners to build a secure 'chain of PHI custody.'"

Redspin also reported that the lack of encryption on laptops and other portable electronic devices is the root cause of over one-third of PHI breaches (38 percent). The company suggested that encrypting portable devices be more widely implemented and enforced given the surge in the use of personally-owned mobile devices at work.

Redspin warned that personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes—even held for ransom. Although there has been a relatively low incident rate of hacking among all PHI breaches to date, Berger said that last year's attack on the Utah Department of Health "may be the canary in the coal mine."



NewYork-Presbyterian, Walgreens Partner on Telemedicine Initiative

NewYork-Presbyterian and Walgreens are collaborating to bring expanded access to NewYork-Presbyterian’s healthcare through new telemedicine services, the two organizations announced this week.

ONC Releases Patient Demographic Data Quality Framework

The Office of the National Coordinator for Health IT (ONC) developed a framework to help health systems, large practices, health information exchanges and payers to improve their patient demographic data quality.

AMIA, Pew Urge Congress to Ensure ONC has Funding to Implement Cures Provisions

The Pew Charitable Trusts and the American Medical Informatics Association (AMIA) have sent a letter to congressional appropriators urging them to ensure that ONC has adequate funding to implement certain 21st Century Cures Act provisions.

Former Michigan Governor to Serve as Chair of DRIVE Health

Former Michigan Governor John Engler will serve as chair of the DRIVE Health Initiative, a campaign aimed at accelerating the U.S. health system's transition to value-based care.

NJ Medical Group Launches Statewide HIE, OneHealth New Jersey

The Medical Society of New Jersey (MSNJ) recently launched OneHealth New Jersey, a statewide health information exchange (HIE) that is now live.

Survey: 70% of Providers Using Off-Premises Computing for Some Applications

A survey conducted by KLAS Research found that 70 percent of healthcare organizations have moved at least some applications or IT infrastructure off-premises.