BreachExchange mailing list archives
One year later…. do the HHS breach reports offer any surprises?
From: Christine Fulgham <christine () opensecurityfoundation org>
Date: Tue, 12 Oct 2010 12:50:15 -0400
http://www.phiprivacy.net/?p=4182 It’s now been a full year since the new breach reporting requirements went into effect for HIPAA-covered entities. Although I’ve regularly updated this blog with new incidents revealed on HHS’s web site<http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html>, it might be useful to look at some statistics for the first year’s worth of reports. During this period, 166 breaches each affecting 500 or more individuals were reported to HHS. We won’t know how many smaller breaches occurred unless or until HHS reports that figure to Congress at some future date, but for the 166 breaches reported, *4,905,768* patients were affected. Keep in mind that breaches may not have been reported if the entity decided that the incident did not reach the “harm” threshold incorporated in the interim rule. That has since been pulled, and it’s not clear whether there will be a harm threshold in the final rule (there *shouldn’t* be one). If HHS did not have the ‘harm” threshold, how many more incidents would we have learned about? Here are a few statistics to mull over from the 166 cases in the dataset: - 4 of the incidents involved *hacking*, affecting 63,000 patients (mean number of patients per incident=15,750) - 6 involved *improper disposal* of PHI, affecting 35,439 (mean = 5906.5) - 20 involved *loss *of PHI, affecting 1,007,576 (mean = 50,378,8). These figures do not include incidents that were reported as “theft, loss” or “loss” in combination with some other threat vector, so should be interpreted as a low estimate of loss. - 80 involved *theft *of PHI, affecting 3,043, 292 (mean = 38,041.15). These figures do not include incidents that were reported as “theft, loss” or “theft” in combination with some other threat vector, so should be interpreted as a low estimate of theft. - **10 involved *unauthorized access*, affecting 50,491 (mean = 5,049.1) - 10 were described as “*theft, unauthorized access*,” affecting 40,835 (mean = 4083.5) - 33 of the breaches involved a *business associate*, affecting 1,460,980 (mean = 44,272.12) - 34 involved *paper records*, affecting 121,106 (mean = 3561.94). This figure does not include some of the entities involved in a recent case in Massachusetts <http://www.phiprivacy.net/?p=3327>. - 43 involved a *laptop*, accounting for 1,503,370 (mean = 34,962.09 ) - 21 involved a *desktop computer*, affecting 243,365 (mean = 11,588.81) - 5 additional incidents involved both a desktop and a laptop - 23 involved a *portable electronic device*, affecting 1,139,419 (mean = 49,539.96 ) - An additional 12 incidents indicated *network server* as the location of the PHI, affecting 169,656 (mean = 14, 138 ) Other incidents were coded as “other,” some combination of other events, or other categories such as e-mail disclosures. Viewing the data as above, it appears that somewhat more than half of all reported breaches involved theft and theft accounted for over 62% of all patients whose records were involved in reported breaches involving unsecured PHI. Loss, which accounted for 12% of all reported incidents, accounted for 21% of all patients affected. [...]
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Take CREDANT Technologies short survey on cloud usage and security. Take the survey: http://www.surveymonkey.com/s/TXDR7WT Respond by October 12, 2010. Enter to win a $500(US) Amazon Gift Card.
Current thread:
- One year later…. do the HHS breach reports offer any surprises? Christine Fulgham (Oct 14)