The HITECH Breach Notification Tool lists all protected health information data breaches reported under the United State’s HITECH Act. Section 13402(e)(4) requires the Health and Human Services Secretary to “post a list of breaches of unsecured protected health information affecting 500 or more individuals.” Using this tool, we can better understand health care related data breaches.
In 2010, so far 169 data breaches have been reported, causing nearly 3.5 million people to be affected. Because it is January and most organizations take at least a month or longer to report to the HHS, we expect more notifications to be reported.
Here are some other interesting statistics.
Top 5 Largest Breaches:
- South Shore Hospital, MA – 800,000 people
- Puerto Rico Department of Health, PR – 400,000 people
- Triple-S Salud, Inc., PR – 398,000 people
- Keystone/AmeriHealth Mercy Health Plans, PA – 285,691 people
- Emergency Healthcare Physicians, Ltd., IL – 180,111 people
Top 5 Breach Types:
- Theft – 78
- Loss – 30
- Unauthorized Access/Disclosure – 27
- Improper Disposal – 11
- Hacking/IT Incident – 7
Theft was overwhelmingly the largest cause of a breach. It would be useful to know whether these are insider thefts or other types (laptops left in cars for instance).
Top 5 Breach Locations:
- Laptop – 40
- Paper Records – 38
- Desktop Computer – 21
- Portable Electronic Device, Other – 16
- Network Server – 15
Because the top location of breached data was held on laptops, we can speculate theft was involved. However, desktop computers and network servers lead us to believe either insider attacks or hacking causes a large percentage of breaches.
While the issues we have highlighted are certainly not indicative of all organizations, the breach data can help us learn where others are struggling. We can ask questions about our own security in reference to the problems others are having. This may help us discover blind spots, and determine where to focus resources to secure our assets.
