Healthcare’s Dirty Secret – 15 Million Patient’s Private Information Exposed Since 2009

July 8, 2012
74 Views

 

 

Due to the overwhelmingly positive response to an earlier blog post entitled “Paper Records More Susceptible to Breach than Any Other Medium – are you next?”, I decided to dig deeper into the data provided by the U.S. Department of Health & Human Services.

The organization provides a data of breaches affecting 500 or more individuals. While a breach that impacts 1 patient is important to rectify, the department chose 500 to be of material consequence. There were 435 breaches recorded and observed by the HHS Office for Civil Rights.

Avoidable HIPAA Breaches

It is interesting to note that the breaches that occur are avoidable. The table below examines that type of breaches that occurred in the dataset.  While there are different mediums containing Patient Health Information (PHI), when stored locally either physically or digitally they are vulnerable to intruders.

Breach TypeBreach Count
Theft238
Unauthorized Access93
Improper Disposal75
Hacking Incident26
Loss3

 

 How to Protect PHI (Patient Health Information)

When examining breach types it is important to identify differences and how to protect PHI. Theft can occur physically or digitally. It is difficult to protect physical records and require secure location and incur storage costs. Storing physical patient files does not capture a history of access.

This leads to Unauthorized Access, including employee access or mishandling of PHI. Using a digital repository for PHI allows organization administrators to identify any misuse of patient data and curb potential HIPAA breaches before they become material IF proper protocols are put in place.

Proper Software Permissions

Some Electronic Medical Record (EMR) applications and services such as referralMD allow for proper administration of PHI and employee access. All IT equipment has an end of useful life and requires proper disposal. Once this occurs the equipment can be salvaged (sold to a third party) to recover some IT investment costs.

There is nothing wrong with the practice if sensitive data is removed (with a Department of Defense wipe) or data storing hardware such as hard drives, CD/DVD’s and tape backups are destroyed. Hacking can occur both internally and externally over network resources.

Small to Medium Practices Do Not Have Required IT Skills

Organization networks can be protected with firewalls from external intruders; however PHI is still vulnerable to internal malice. Most medium and small medical organizations do not deploy proper staff to monitor network traffic continuously. Cloud services can provide a layer of protection that have the staff to monitor network traffic and enforce network security on a wide scale.

Of the 435 breaches,  116 were paper based breaches, 109 involved stolen laptops, 62 Desktop computers, 40 Networks, 70 portable devices (including portable hard drives, CD/DVD’s and tape backups). Download the  full report of breaches here.  Almost 15 million patients were affected by breaches by the top 10 entities with the most breaches. Unfortunately most of the incidents were avoidable and due to stolen or lost physical media

The graph below depicts the number of patients affected by HIPAA violations:

HIPAA Breaches since 2009 - Indviduals Affected

The graph below depicts the number of breaches reported per month since September 2009.

Number of Breaches Reported Since Sept. 2009

While the graph that depicts the number of breaches shows downward slope, this is misleading. Breaches that have occurred in recent months may not have been identified and/or have not been reported. OCR complaints may be filed 180 days from the date of the act or occurrence(s).

Organizations can protect themselves by adhering to HIPAA regulations and use tools such as referralMD to remain in compliance or to minimize the impact of a violation. Data from the HHS has been included in this blog post.

How do you protect your organization?

Share your thoughts below about what you do to protect your patients.

You may be interested

Care On The Road: How Telemedicine Can Reach Truck Drivers
Mobile Health
12 views
Mobile Health
12 views

Care On The Road: How Telemedicine Can Reach Truck Drivers

Larry Alton - August 21, 2017

Telemedicine is considered a powerful tool for individuals living in rural areas, far from adequate services or in need of…

Where Is The Balance? Pushing Back Against Consumer Health Tech
eHealth
3 views
eHealth
3 views

Where Is The Balance? Pushing Back Against Consumer Health Tech

Larry Alton - August 18, 2017

When Republican Congressman Jason Chaffetz glibly remarked that Americans struggling to afford insurance should choose between that and their smartphones,…

What to Look for in Patient Solutions Software
eHealth
365 views
eHealth
365 views

What to Look for in Patient Solutions Software

Robert Cordray - August 17, 2017

The medical sector is one area where technology has had a significant impact, largely by providing tools that simplify many…