Health Care Data Breaches Affect 10 Million Patients Since Fall 2009

A Department of Health & Human Services tally of data breaches since 2009 lists about 260 incidents that affected more than 10 million patients.

A list of data breaches by the Office for Civil Rights in the U.S. Department of Health and Human Services reveals that more than 10 million patients have been affected by security lapses in about 260 health care-related incidents reported since 2009.

The department began compiling the list on Feb. 22, 2010, when the HITECH Act breach notification rule was enacted. Section 13402(e)(4) of the rule requires health care organizations to report breaches affecting more than 500 people within 60 days to HHS Secretary Kathleen Sebelius. HHS then adds the incidents to the list on its Website.

Cases that have been reported to HHS date back to Sept. 22, 2009.

The breach on the HHS list impacting the most patients involved insurance provider HealthNet in Rancho Cordova, Calif. In that case, about 2 million people were affected when nine server drives disappeared from the company's data center on Jan. 21.

The second-largest breach occurred when computer backup tapes were stolen from a truck belonging to the North Bronx Healthcare Network in New York, placing the data of 1.7 million patients, staff members and others at risk.

Meanwhile, HHS has penalized organizations such as Massachusetts General Hospital and Cignet Health for cases that violated HIPAA (Health Insurance Portability and Accountability Act) privacy regulations.

A move toward EHRs (electronic health records) or EMRs (electronic medical records) could be to blame for the rise in security breaches, according to David Ting, CTO of access-management vendor Imprivata.

"The scale of breaches has risen exponentially along with the adoption of EMR systems, and today hundreds of thousands of records containing electronic patient health information can be stored in a device smaller than a lunch box," Ting wrote in an email to eWEEK. "The idea of a breach on that scale back in the paper-based days, whether through unlawful or simply negligent behavior, was highly unlikely."

With about 260 cases reported to HHS, the potential for those affected could be more than the number reported, according to Mac McMillan, CEO of health care security firm CynergisTek and a former U.S. Defense Department intelligence officer.

"Traditionally speaking, the number of instances of compromise have always been much lower than the potential number of records/people who could have been affected," McMillan wrote in an email to eWEEK.

With data in many of the health care breaches stored on ordinary flash drives or external hard drives, employees often forget where they've stored sensitive data until it's lost.

"Most organizations do not have a handle on where all their PHI [personal health information] is, let alone whether its location is appropriate or necessary," McMillan explained. "This is where data-loss prevention tools, for instance, are useful to perform that detailed discovery that permits building that accurate PHI mapping," he said.

Completing the mapping allows companies to establish rules to reduce the risk that the data is stored on unauthorized devices.

To make data more secure, health care organizations can choose products that provide single sign-on, log-in management, hard drive encryption as well as real-time inspection of packets and server management, according to Ting.

With workers in health care organizations failing to encrypt sensitive data and not knowing where they've stored the information, the resulting health care breaches could be described as "self-inflicting wounds," McMillan said.

"Basically 67 percent of these incidents involve some form of physical theft or loss of an IT asset, desktop, laptop, tape, server, etc., that were not encrypted," he noted. "How many more do we need to see before organizations re-evaluate their controls and consider encryption a requirement?"