If you have followed my blog, you know that I annually review the US HHS breach report, just to see what kind of year we had in healthcare security. Well, enough time has gone by since the end of year reporting to make sure we have captured the stragglers. Prior years observations are here for 2010 and here for 2011.
Well I am happy to say that we are off the curve to have 50% of the population breached for healthcare data by 2025. Whew! 2011 now looks like an anomaly in our rear-view mirrors. Breaches in 2011 affected almost 11 million people. In 2012 healthcare breaches affected 2.5 million, about the same level as 2009 – which was a partial year of reporting.
Hmmm, so we may be looking at 3 scenarios:
1) Rules and fines have had their effect. The industry has woken up and has taken serious precautions that has sharply reduced breaches.
2) 2011 was an anomaly, and it won’t ever happen again.
3) The numbers are suspect – not everything is being reported.
This year’s graph is telling:
compared that to our trending from 2011:
This year’s wall of shame includes these top 3 breaches:
Utah Department of Health: 780,000 individuals affected
Emory Healthcare: 315,000 individuals affected
South Carolina Department of Health and Human Services: 228,435 individuals affected
Government and Non Profits are not immune: at least 5 city agencies, 7 Universities stick out.
Repeat offenders? It happens. Kindred Healthcare, The Brookdale University Hospital and Medical Center (NY) , Riderwood Village (MD), and Florida’s Memorial Healthcare System each had a total of two separate breaches in 2012.
Maybe we have turned the corner on healthcare security breaches (how come I feel that may be optimistic at best?). Or maybe there is a major case of ignorance, or a fear of reporting and lack of compliance going on. Or maybe criminals have a target rich environment with banks, and could care less about Protected Health Information.
What do you think?