Those are just some of many good nuggets of information in the 3rd Breach Report/Protected Health Information from security testing and auditing firm Redspin Inc. Since August 2009, for instance, 538 breaches each affecting at least 500 patients have been reported to the HHS Office for Civil Rights, and the breaches total 21.4 million patient records. Other stats from 2012: two-thirds of major breaches result from theft or loss, 38 percent of breaches come from unencrypted laptops and other portable devices, and 57 percent involve a business associate.
While the quick stats get noticed, deeper analysis in the report is sobering. The five largest breaches of 2012 accounted for almost two-thirds of compromised patient records. The magnitude of the Eastern European hack that got protected information on 780,000 Utah Medicaid recipients should end any complacency about the hacking threat, the vendor warns.
“In Redspin’s opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. We expect that the low incidence rate of hacking during the past few years was the calm before the storm.”
The good news: Increased privacy and security provisions under the HITECH Act, augmented in January with publication of the final omnibus HIPAA rule, are having positive impacts on the industry, according to Redspin. Covered entities increasingly are conducting HIPAA security risk analyses, the company notes, and it alone helped nearly 100 hospitals with that task last year. That the number of major breaches rose in 2012 while the number of affected patients dropped is one reflection of improvement.
Redspin’s complete report is available here.