One year later…. do the HHS breach reports offer any surprises?

[Christine Fulgham <christine () opensecurityfoundation org>]

http://www.phiprivacy.net/?p=4182


It’s now been a full year since the new breach reporting requirements went
into effect for HIPAA-covered entities.   Although I’ve regularly updated
this blog with new incidents revealed on HHS’s web
site<http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html>,
 it might be useful to look at some statistics for the first year’s worth of
reports.

During this period,  166 breaches each affecting 500 or more individuals
were reported to HHS.   We won’t know how many smaller breaches occurred
unless or until HHS reports that figure to Congress at some future date, but
for the 166 breaches reported, *4,905,768* patients were affected.  Keep in
mind that breaches may not have been reported if the entity decided that the
incident did not reach the “harm” threshold incorporated in the interim
rule.  That has since been pulled, and it’s not clear whether there will be
a harm threshold in the final rule (there *shouldn’t* be one).  If HHS did
not have the ‘harm” threshold, how many more incidents would we have learned
about?

Here are a few statistics to mull over from the 166 cases in the dataset:

   - 4 of the incidents involved *hacking*, affecting 63,000 patients  (mean
   number of patients per incident=15,750)
   - 6 involved *improper disposal* of PHI, affecting 35,439  (mean =
   5906.5)
   - 20 involved *loss *of PHI,  affecting 1,007,576 (mean =
   50,378,8). These figures do not include incidents that were reported as
   “theft,  loss” or “loss” in combination with some other threat vector, so
   should be interpreted as a low estimate of loss.
   - 80 involved *theft *of PHI, affecting 3,043, 292 (mean = 38,041.15).
    These figures do not include incidents that were reported as “theft, loss”
   or “theft” in combination with some other threat vector, so should be
   interpreted as a low estimate of theft.
   - **10 involved *unauthorized access*, affecting 50,491 (mean = 5,049.1)
   - 10 were described as “*theft, unauthorized access*,” affecting 40,835
   (mean = 4083.5)
   - 33 of the breaches involved a *business associate*, affecting 1,460,980
   (mean = 44,272.12)
   - 34 involved *paper records*, affecting 121,106  (mean = 3561.94). This
   figure does not include some of the entities involved in a recent case in
   Massachusetts <http://www.phiprivacy.net/?p=3327>.
   - 43 involved a *laptop*, accounting for 1,503,370  (mean = 34,962.09 )
   - 21 involved a *desktop computer*, affecting 243,365  (mean = 11,588.81)
   - 5  additional incidents involved both a desktop and a laptop
   - 23 involved a *portable electronic device*, affecting 1,139,419
    (mean = 49,539.96 )
   - An additional 12 incidents indicated *network server* as the location
   of the PHI, affecting 169,656  (mean = 14, 138 )

Other incidents were coded as “other,” some combination of other events, or
other categories such as e-mail disclosures.

Viewing the data as above, it appears that somewhat more than  half of all
reported breaches involved theft and theft accounted for over 62% of all
patients whose records were involved in reported breaches involving
unsecured PHI.   Loss, which accounted for 12% of all reported incidents,
accounted for 21% of all patients affected.

[...]

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Take CREDANT Technologies short survey on cloud usage and security.
Take the survey: http://www.surveymonkey.com/s/TXDR7WT
Respond by October 12, 2010.
Enter to win a $500(US) Amazon Gift Card.