The US Department of Health and Human Services, Office for Civil Rights has released their annual report on data breaches involving protected health information. The report covers the dates of January 1, 2011 through December 31, 2012, according to phiprivacy.net. While it may reflect the near past, it shows why HIPAA encryption is so important: theft accounted for more than 50% of all data breaches that involved 500 or more PHI.
Adding instances of loss, the figures rise to around 66% (accounting for nearly two-thirds of all reported data breaches).
Of course, just because two-thirds of all data breaches are tied to theft and loss does not mean that this will correspond to the number of people affected: for example, if you have one online hacking incident that affects the whole of the US (300 million people and then some), chances are that it will dominate the numbers. So, how many people were affected by theft and loss?
- 2009: 60% (theft), 0% (loss) – total of 60%
- 2010: 58%, 22% – total of 80%
- 2011: 24%, 54% – total of 80%
- 2012: 36%, 13% – total of 49%
There is a dramatic 30% drop of affected people in 2012 but the number of data breaches attributed to theft and loss have remained consistent over the years (approx.. 66%). This can either mean that (a) people have started limiting how much information is stored on mobile devices like laptops and smartphones (e.g., if one laptop is stolen each year but the PHI count goes from 2 to 1, there’s an instant 50% reduction in affected people) or (b) seeing how we’re dealing with percentages, there were more people involved in a different type of data breach (which is the HHS/OCR report is classified as “other”).
In 2011, Business Associates (BA) accounted for 27% of all data breaches reported to the HHS that involved 500 or more people. However, they accounted for 64% of all people affected.
In 2012, BAs account for 25% of data breaches. It accounted for 42% of all people affected.
Desktop Computers Come In Third
In 2011, paper-based breaches accounted for 27% of all data breaches, followed by laptop computers (20%) and desktop computers (14%). Other portable devices followed very closely, at 13%.
I’ve argued often that desktop computers require the same level of attention and dedication to security as laptop computers, and the above numbers bear me out. Especially when you consider the number of people affected: the “Other” category accounts for a whopping 70% of people affected, followed by desktop computers (18%) and laptop computers (4%).
What’s with the “Other” category? Well, that’s where storage media like backup tapes end up, seeing how they’re rarely involved in a data breach. If you’ll recall, we’ve had a number of big breaches centered around data tapes, such as SAIC/Tricare.
In 2012, paper accounted for 23% of breaches, followed by laptop computers (27%) and network servers (13%). Desktop computers came in fourth place with 12%.
Resolution Agreements (i.e., Fines)
In addition to the above data, the HHS/OCR report lists a number of enforcement actions that were pursued. You can get more details from the report itself but I thought I’d list what people are really interested in. The fines:
- Blue Cross Blue Shield of Tennessee: $1.5 Million resolution amount
- Alaska Dept. of Health and Social Services: $1.7 Million
- Mass. Eye and Ear Infirmary and Mass. Eye and Ear Associates: $1.5 Million
- Hospice of North Idaho: $50,000
- Idaho State University: $400,000
- WellPoint: $1.7 Million
- Affinity Health Plan: $1,215,780
The types of breaches vary (paper, computers, photocopiers), as well as the number of people affected, whether it be in the millions or in the hundreds. The only thing that is consistent is that there appear to have been multiple failures/non-compliance to HIPAA Security and Privacy rules.