A new report finds that the number of large-scale health data breaches increased last year, while the number of patients affected by them decreased. The report from California-based IT security audit provider Redspin Inc., titled “Breach Report 2012, Protected Health Information,” looked at 538 breach incidents since August 2009, when the interim breach notification rule under the HITECH Act went into effect; these large-scale breaches affected over 21 million patient records, many of them from Electronic Medical Records software and medical billing software.
Redspin’s report found an increase in large-scale health data breaches (defined as those affecting 500 or more individuals) to 146 in 2012, from 121 in the previous year. The number of patient records affected, however, dropped dramatically from 10.6 million in 2011 to 2.4 million in 2012, a decrease of 77 percent. The company’s president noted that “While the breach data shows improvement year-over-year, we caution against complacency.”
57% of all breaches involved third-party vendors or “business associates” who require access to Protected Health Information (PHI) in order to provide services to covered entities. The newly-published HIPAA Omnibus Rule requires these business associates to comply directly with all HIPAA privacy and security regulations and extends civil liability for breaches of PHI to the business associates. However, Redspin urged healthcare providers not to assume that all BAs will comply, and to be proactive and stay on the offensive regarding breach prevention.
The report also noted that over one-third (38%) of PHI breaches were the result of an unencrypted laptop or other portable electronic device, suggesting that encryption be more widely implemented and enforced, especially in light of the increase in personal mobile devices being utilized for work purposes. Other statistics include: 67% of breaches have been the result of theft or loss; almost 64% of all patient records breached in 2012 were from the year’s five largest incidents; 780,000 records were breached in the single largest incident of 2012, at the Utah Department of Health; and approximately 6% of all data breaches (in terms of numbers of both incidents and affected records) were attributed to hacking.
Users of leading software like Medisoft Clinical, Lytec 2013, and McKesson Practice Choice are not immune to data breaches due to loss, theft, or hacking. Microwize Technology can help harden your network and environment and minimize the risk. Contact a healthcare technology consultant today.