Since 2009, the HHS Office for Civil Rights (“OCR”) has posted all large data breaches – those that involve 500 or more individuals – online on its so-called “Wall of Shame.” In 2013, 160 large data breaches were reported to OCR and posted on the Wall of Shame. Taken together, these breaches involved the unsecured protected health information (“PHI”) of nearly 6.85 million individuals.
The following top five breaches of 2013 accounted for over 88% of all individuals affected by large data breaches in that year:
- Advocate Health and Hospitals Corp. (4,029,530);
- Horizon Healthcare Services, Inc. d/b/a Horizon Blue Cross Blue Shield of New Jersey and its affiliates (839,711);
- AMHC Healthcare Inc. (729,000);
- Texas Health Harris Methodist Hospital Fort Worth (277,014); and
- Indiana Family & Social Services Administration (187,533).
Of these five breaches, one breach involved the PHI of over four million individuals; the other four breaches each affected over 150,000 individuals. Three out of these five breaches resulted from the theft of equipment or electronic files with unencrypted PHI. The two remaining breaches were due to errors by business associates: one that failed to destroy microfiches containing PHI that ultimately ended up in several local parks; and one that made a computer programming error and transmitted records to an unintended party. Interestingly, the first incident involved the PHI of patients seen by the facility between 1980 and 1990, demonstrating that older PHI is no safer from improper disclosure than newly generated PHI.
These incidents from 2013 should alert covered entities, business associates, vendors and other agents handling PHI to the following lessons:
- Encrypt, encrypt, and encrypt again – in one of the breaches, the hospital system had focused on encrypting their laptops, but had not yet completed encrypting the desktops that contained PHI;
- Monitor where PHI is going– if (or when) PHI gets inadvertently transmitted to the wrong party, knowing where it went will help the breaching party to perform an adequate risk assessment under 45 C.F.R. 164.402(2); and
- Follow up (and follow through) on the destruction of PHI – having policies on how to properly protect or destroy older PHI records and following up with entities entrusted with completing those tasks will lessen the risk that these records will cause a future breach down the road.