The US Department of Health and Human Services (HHS) is charged, under the HITECH act, with collecting data breach notifications for any HIPAA-covered entities. Under the act, these entities are required to immediately send an official letter of notification if the breach involved more than 500 people (breaches where 500 or less people affected are reported annually. The use of data encryption like AlertBoot provides the equivalent of a safe harbor).
36 Entities Reported – A Summary
Thirty-six hospitals, clinics, private practices, and other medical facilities are listed in this first report. In the six months between September 2009 and January 2010, over 1 million people were affected in total.
Types of Breaches
The types of breaches listed are pretty straightforward.
Unauthorized Access: 7
Phishing Scam: 1
Hacking/IT Incident: 1
Incorrect Mailing: 1
Misdirected E-mail: 1
The sum exceeds 36 because there are overlapping descriptions.
Location of Breached Information
Portable Electronic Devices/USB/Hard Drives: 6
Network Servers/Computers: 3
Backup Tapes/CDs: 3
Others (paper-based and such): 7
The sum also exceeds 36 because of overlapping devices/documents. I’ve also taken the liberty of combining certain categories together (e.g., portable electronic devices and portable USB devices).
Breakdown and Analysis
It doesn’t take a genius to see that the thefts and losses of computers and similar devices (laptops, desktops, servers, USB devices, etc.) is the leading cause of data breaches–at least, where HIPAA-covered entities are involved. In fact, it’s more than the leading cause. They compromise well over the majority of reported data breaches. There’s not much to analyze, actually.
(Here’s something to think about: are the thefts and losses of computers the real leading reason for data breaches, or are they just better reported? I’d notice if a laptop were stolen at my office. I’d probably never notice that a folder full of files was missing out of my file cabinet, which I haven’t even peeked into in years. Hmph; why do I still have that thing around?).
A further breakdown and analysis is done at this site, waynerino.com. The numbers over there are a little different from what I’ve reported, no doubt because I’ve taken the liberty of combining certain figures, but the conclusions are essentially the same.
Something to note at waynerino.com is the breakdown by geographic location. The state with the leading number of reported breaches is California, with 28%. My guess is that this doesn’t quite indicate that California is full of data thieves. Rather, it probably indicates that California entities are better informed about the notifying the HHS. This is the state that started the entire breach notification trend, after all.
What I find most unfortunate about the above is that the use of encryption software would have prevented most of these breaches. Not the actual theft of the devices, mind you; I mean that it would have eliminated the chances of the thieves also accessing the patient information.
The use of disk encryption, for example, on desktops and laptops would essentially prevent access to the computer–in fact, with pre-boot authentication, the thief wouldn’t even be able to start up the computer.
As an alternative, file encryption could also have been used, and may even have been the only option for files saved to backup tapes and CDs.
Related Articles and Sites: