Nearly 21 million individuals have been affected by large health data breaches since HHS' Office for Civil Rights began publicly reporting such incidents in September 2009, Modern Healthcare reports (Conn, Modern Healthcare, 8/1).
Background
The 2009 federal economic stimulus package included a provision that tightened HIPAA protections by requiring health care providers, insurers and business associates to report breaches of patient health information.
Under the requirements, organizations must submit annual reports on small-scale breaches affecting fewer than 500 individuals. Large-scale breaches that affect 500 or more individuals must be reported promptly. OCR publicly posts information about large breaches on its website (iHealthBeat, 9/7/11).
Latest Data on Breaches
Since September 2009, OCR has received reports of 477 breaches affecting 500 or more individuals. Tens of thousands of breaches involving fewer than 500 individuals also have been reported.
OCR data show that since September 2009:
- A total of 20,970,222 individuals have had their medical records compromised in large health data breaches;
- The average number of individuals affected by a large data breach is 43,963 and the median number of affected individuals is 2,184; and
- About 21% of the large health data breaches reported to OCR involved a business associate of a covered entity.
Common Types of Breaches
Of the large health data breaches reported to OCR:
- 54% involved theft;
- 20% involved unauthorized data access or disclosure;
- 11% involved loss of data;
- 6% involved hacking;
- 5% involved improper disposal of data; and
- 4% were labeled as "other" or "unknown" incidents (Modern Healthcare, 8/1).