From September 2009 when the federal breach notification rule became effective and through 2010, large breaches of protected health information accounted for less than 1 percent of nearly 31,000 reported incidents, but affected 99 percent of the 7.8 million individuals touched by a breach.

Further, theft of protected health information was the cause of 27, or 60 percent, of 45 large breaches in 2009--affecting 500 or more individuals--and 99, or 48 percent, of 207 large breaches in 2010, according to the HHS Office for Civil Rights in an annual report to Congress. Large breaches caused by theft affected about 1,468,578 individuals in 2009 and about 2,979,121 individuals in 2010.

Other common causes for large breaches included intentional unauthorized access, human error, loss of electronic media or paper records, and improper disposal.

The report to Congress breaks down common remedial actions--which organizations report to OCR--taken following a breach. These include revising policies and procedures, improving physical security, training or retaining employees, providing free credit monitoring services, adopting encryption, sanctioning employees, changing passwords, performing a new risk assessment, and revising business associate contracts.

"With respect to large breaches involving the theft or loss of electronic protected health information, of the approximately 131 reports of such breaches in 2009 and 2010, about fifty percent of the reports indicated that encryption technologies were being implemented as a remedial step to avoid future breaches," according to the report to Congress, available here.


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access