According to the folks at phiprivacy.net, the recent addition of twenty-nine data breaches to the HHS “Wall of Shame” show that laptop and desktop computers still account for approximately half of all medical data breaches. This indicates two things: (1) Too many covered entities are not using HIPAA level encryption and (2) computers still account for most data breaches, regardless of what your fears over hacking may be.
Computers Account for Exactly Half or Slightly More than Half
The loss and theft of computers – be they laptops or desktops, but definitely biased towards laptops – account for half of the twenty-nine data breach…or slightly more than half. It really depends on whether you want to consider one particular instance as an outlier.
Of the 29 HIPAA data breaches, all except one ranged from approximately 500 to 10,000. The outlier is a laptop breach that affected approximately 729,000 people.
With the outlier:
- 818,448 total patients affected.
- 29 cases total. Of these, 13 are attributed to laptops, 2 to desktop computers.
- 761,624 patients affected due to laptops. Another 1,466 attributed to “computers” which is interpreted as desktop computers.
Without the outlier:
- 89,448 total patients affected.
- 28 cases total. Of these, 12 are attributed to laptops, 2 to desktop computers.
- 32,624 patients affected due to laptops. Another 1,466 attributed to “computers” which is interpreted as desktop computers.
Regardless of which dataset you go with, at least half of the 29 incidents are tied to the loss of computers. These are incidents that can be easily prevented by using security software like AlertBoot’s managed disk encryption. Why are HIPAA covered entities (and their business associates) still avoiding laptop disk encryption? I don’t have an answer for that. But, if I may, I must point out that masochists do exist in the world.
In terms of people affected, the theft of endpoints account for either 93% or 36% of people affected. Again, it depends on whether you want to include the outlier or not. If you don’t, well, 36% is not a figure one sneeze’s at. Nearly 40% of people are being affect by, once again, something can be prevented with an easy remedy? Unconscionable.
In an effort to present a little bit more data, these are the mean and median for both instances:
- Mean, with outlier: 28,222.3
- Median, with outlier: 2,812
- Mean, without outlier: 3,194.6
- Median, without outlier: 2,811
If you take the top ten data breaches above, laptops account for four out of the ten HIPAA data breaches. In terms of people affected, 94.8% of people were affected because of a laptop theft. If you prefer not to include the outlier, the figure falls to 28.5% (but becomes a list of top nine breaches). It’s less impressive, but not insignificant.
In a sense, it’s kind of like a fractal: you keep making smaller and smaller slices, and yet those ratios just keep maintaining themselves. It’s uncanny.
One thing that troubles me is whether the one laptop that affected over 700,000 people should be treated as an outlier. On the one hand, it’s way out of proportion. On the other, it’s not a theoretical mistake of some sort. That data breach happened. Plus, a list of data breaches that go back to 2009 shows that at least 9 other incidents are even bigger.
And when you consider that an analysis of the data shows that data breaches appear to follow a power law, it doesn’t make sense to treat that particular data point as an outlier.
Related Articles and Sites: