One of the healthcare IT hallmarks of the last 2 years has been the increase in regulatory reporting requirements for healthcare providers, not only because of the 2009 HITECH act, but also because of jurisdictional reasons (FTC reporting versus HHS reporting) and reporting at the state and local level. In fact, just a glance at the regulations (timing, trip points, how to report) makes one realize how complex it has become, and how easy it is to inadvertently run afoul of compliance dictum. Ahh… but that is for another rant… err..blog post.
One of the advantages to this trend is the increase in publicly available information. One such source is the HHS website for healthcare breaches affecting over 500 individuals. This post is meant to be a random walk through that data, highlighting some interesting numbers and correlations. The source can be found here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html .
First a few disclaimers.
This is a blog post. It is entirely my opinion and observations, has not been peer reviewed, and is the result of about a 1/2 hours worth of analysis of the facts as delivered by the Federal Government and the self reporting of affected entities. The numbers, since the self reporting data is messy, reflects some overlap and interpretation of the data. In fact, the downloadable file from the HHS website does not match the browsable format – with a discrepancy of at least 15 entries. That said, the data is still very interesting.
In summary, there were 155 reported breaches in 2010 (again, affecting 500 or more individuals). The last reported entry was 11/9 – so more is most certainly on the way (I’ll update this post as they come in during 2011).
2,904,579 individuals impacted (about 1% of the US population). A phenomenal amount, given this is first year data in a rapidly changing field.
Where: by State
Not surprisingly, the larger population states had the most breaches reported (by number):
New York with 15, and California and Texas with 13 breaches each.
Surprisingly, some of the lower populated regions did make a showing: Kentucky with 7, and DC with 3, stood out.
What: by Hardware
Surprise! (or not). Paper breaches challenged laptops for dominance in terms of type of breach media. Email oriented breaches came in low – but I am sure reflects the lack of use (ostensibly for HIPAA and other reasons) of email as a healthcare medium. Notably “EMRs” were highlighted by some reporting entities as the breach source. The broader moniker of “Personal Electronic Devices” may include handhelds/palm/pad devices.
23 Personal Electronic Devices
How: by Modus Operandi
Thefts came out on top. Inadvertent loss vied with unauthorized access (ala wikileaks) – emphasizing how far we need to go on identity and access management. Note, too, the lack of dominance of hacking. BTW – Hacking was, in some cases, lumped with “IT incident” – a dubious term at best.
|9||IT incident/ Hacking|
Halls of Shame: By State
Finally, what I’ll call the Halls of Shame. I’ve summarized breach numbers in terms of individuals affected, by state. Sure, New York has the most reported number, but Massachusetts has by far the most, due in large part to one high profile breach. Puerto Rico is a similar story (and #2 in our state ranked Halls of Shame).
Halls of Shame: By Covered Entity
The chart below is directly from the HHS database. Note how many third party entities are involved in breaches (especially in the top 6, by individuals affected). Possibly this reflects that breaches are more likely reported when there is a quasi check/balance due to two entities in the chain of custody. Or the dispersion of responsibility connotes increased risk. You decide. Interestingly enough, one entry reflects finger pointing within a state entity across state agencies.
|Name of Covered Entity||State||Business Associate Involved||Individuals Affected||Date of Breach||Type of Breach||Location of Breached Information|
|South Shore Hospital||MA||Iron Mountain Data Products, Inc. (now known as Archive Data Solutions, LLC)||800000||2/26/2010||Loss||Portable Electronic Device, Electronic Medical Record, Other|
|Puerto Rico Department of Health||PR||Triple-S Management, Corp.; Triple-S Salud, Inc.||400000||9/21/2010||Unauthorized Access/Disclosure, Hacking/IT Incident||Network Server|
|Keystone/AmeriHealth Mercy Health Plans||PA||285691||9/20/2010||Loss||Portable Electronic Device|
|Emergency Healthcare Physicians, Ltd.||IL||Millennium Medical Management Resources, Inc.||180111||2/27/2010||Theft||Portable Electronic Device, Other|
|Lincoln Medical and Mental Health Center||NY||Siemens Medical Solutions, USA, Inc.||130495||3/24/2010||Loss||Other|
|Department of Health Care Policy & Financing||CO||Governor’s Office of Information Technology||105470||5/17/2010||Theft||Desktop Computer|
|Providence Hospital||MI||83945||2/4/2010||Loss||Hard Drives|
|Cincinnati Children’s Hospital Medical Center||OH||60998||3/27/2010||Theft||Laptop|
|Praxair Healthcare Services, Inc.||CT||54165||2/18/2010||Theft||Laptop|
No doubt, as EMRs take hold, and electronic reporting expands, we’ll see some interesting long term trends from this data. I can’t wait.