Major Healthcare Patient Data Breaches Nearing 100-Mark

I read an interesting story over at highlighting the “Official Breach Tally Approaches 100”. The article includes a link to the official federal list of healthcare information breaches that was launched a few short months ago. While the article highlighted the major breaches affecting 500+ individuals as reported to the HHS Office for Civil Rights (OCR) and called out 61% of incidents stemming from stolen computer devices (e.g., laptops, USB drives, hard drives etc.), many of the largest breaches involved unauthorized access.

Here’s a snapshot at the major breaches stemming from unauthorized access:

  • Mount Sinai Medical Center of Florida in March 2010 (2,600 individuals affected)
  • Blue Cross & Blue Shield of Rhode Island in February 2010 (12,000)
  • Wyoming Department of Health in December 2009 (9,023)
  • University Medical Center of Southern Nevada in October 2009 (5,103)
  • Blue Cross Shield Association of D.C. in October 2009 (15,000)
  • [Private Practice] in California September 2009 (6,145)

What’s interesting here is that the breaches show up regardless of geographic location or company size – these issues affect EVERYBODY. When the HITECH Act breach notification mandates went into effect in September 2009, there was a flood of small breach notifications immediately following in September and October from private practices (these are not named specifically, but that will soon change). Then came a regular drumbeat of larger breaches – some of which are listed above – and they continue to occur.

Will this flow of patient data breaches start to wane with more attention being placed on the issue, and more repercussions from HITECH being enforced? Or will this become ‘noise’ to most people until it affects them directly?

Many of these breaches are preventable. Some are not, but there are now people, processes and technologies available that can help tighten the reins on the vulnerabilities that open the door to many of these breaches. What are you doing to avoid joining the aforementioned list of breaches?