Gartner Blog Network


Year End 2010: Healthcare Breach Synopsis

by Jack Santos  |  December 27, 2010  |  Comments Off on Year End 2010: Healthcare Breach Synopsis

One of the healthcare IT hallmarks of the last 2 years has been the increase in regulatory reporting requirements for healthcare providers, not only because of the 2009 HITECH act, but also because of jurisdictional reasons (FTC reporting versus HHS reporting) and reporting at the state and local level.  In fact, just a glance at the regulations (timing, trip points, how to report) makes one realize how complex it has become, and how easy it is to inadvertently run afoul of compliance dictum.  Ahh… but that is for another rant… err..blog post.

One of the advantages to this trend is the increase in publicly available information.  One such source is the HHS website for healthcare breaches affecting over 500 individuals.  This post is meant to be a random walk through that data, highlighting some interesting numbers and correlations.  The source can be found here:  http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html .

First a few disclaimers. 

This is a blog post. It is entirely my opinion and observations, has not been peer reviewed, and is the result of about a 1/2 hours worth of analysis of the facts as delivered by the Federal Government and the self reporting of affected entities.  The numbers, since the self reporting data is messy, reflects some overlap and interpretation of the data.  In fact, the downloadable file from the HHS website does not match the browsable format – with a discrepancy of at least 15 entries.  That said, the data is still very interesting.

In summary, there were 155 reported breaches in 2010  (again, affecting 500 or more individuals).  The last reported entry was 11/9 – so more is most certainly on the way (I’ll update this post as they come in during 2011).

2,904,579 individuals impacted (about 1% of the US population).  A phenomenal amount, given this is first year data in a rapidly changing field.

Where: by State

Not surprisingly, the larger population states had the most breaches reported (by number):

New York with 15, and California and Texas with 13 breaches each.

Surprisingly, some of the lower populated  regions did make a showing:  Kentucky with 7, and DC with 3, stood out.

NY 15
TX 13
CA 13
IL 9
MA 7
KY 7
OH 6
CT 6
TN 5
PA 5

What: by Hardware

Surprise!  (or not).  Paper breaches challenged laptops for dominance in terms of type of breach media. Email oriented breaches came in low – but I am sure reflects the lack of use (ostensibly for HIPAA and other reasons) of email as a healthcare medium.  Notably “EMRs” were highlighted by some reporting entities as the breach source.  The broader moniker of “Personal Electronic Devices” may include handhelds/palm/pad devices.

46 Laptops
39 Paper
26 Desktops
23 Personal Electronic Devices
13 Servers
5 Emails
2 EMR

How: by Modus Operandi

Thefts came out on top.  Inadvertent loss vied with unauthorized access (ala wikileaks) – emphasizing how far we need to go on identity and access management.  Note, too, the lack of dominance of hacking.  BTW – Hacking was, in some cases, lumped with “IT incident” – a dubious term at best.

84 Thefts  
32 Losses  
29 Unauthorized access
10 Improper disposals
IT incident/ Hacking 

 

image 

Halls of Shame: By State

Finally, what I’ll call the Halls of Shame.  I’ve summarized breach numbers in terms of individuals affected, by state.  Sure, New York has the most reported number, but Massachusetts has by far the most, due in large part to one high profile breach.  Puerto Rico is a similar story (and #2 in our state ranked Halls of Shame).

MA   871034
PR   400000
PA   315864
NY   199651
IL   199569
CA   147194
CO   106119

Halls of Shame: By Covered Entity

The chart below is directly from the HHS database.  Note how many third  party entities are involved in breaches (especially in the top 6, by individuals affected).  Possibly this reflects that breaches are more likely reported when there is a quasi check/balance due to two entities in the chain of custody.  Or the dispersion of responsibility connotes increased risk.  You decide.  Interestingly enough, one entry reflects finger pointing within  a state entity across state agencies.

Name of Covered Entity State Business Associate Involved Individuals Affected Date of Breach Type of Breach Location of Breached Information
South Shore Hospital MA Iron Mountain Data Products, Inc. (now known as Archive Data Solutions, LLC) 800000 2/26/2010 Loss Portable Electronic Device, Electronic Medical Record, Other
Puerto Rico Department of Health PR Triple-S Management, Corp.; Triple-S Salud, Inc. 400000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server
Keystone/AmeriHealth Mercy Health Plans PA   285691 9/20/2010 Loss Portable Electronic Device
Emergency Healthcare Physicians, Ltd. IL Millennium Medical Management Resources, Inc. 180111 2/27/2010 Theft Portable Electronic Device, Other
Lincoln Medical and Mental Health Center NY Siemens Medical Solutions, USA, Inc. 130495 3/24/2010 Loss Other
Department of Health Care Policy & Financing CO Governor’s Office of Information Technology 105470 5/17/2010 Theft Desktop Computer
Providence Hospital MI   83945 2/4/2010 Loss Hard Drives
Cincinnati Children’s Hospital Medical Center OH   60998 3/27/2010 Theft Laptop
Praxair Healthcare Services, Inc. CT   54165 2/18/2010 Theft Laptop

 

No doubt, as EMRs take hold, and electronic reporting expands, we’ll see some interesting long term trends from this data.  I can’t wait.

Additional Resources

Category: healthcare  information-management  it-governance  security  

Tags: culture  healthcare  information  management  security  

Jack Santos
Research VP
7 years at Gartner
40 years IT industry

Jack Santos is a Research Vice President with Gartner, part of the Enterprise Architecture and Technology Innovation team within the Gartner for IT Leaders product. He focuses on enterprise architecture and technology trends. Mr. Santos' specific area of research covers individual development, leadership and management practices for enterprise architects, EA innovation, and collaboration approaches. Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.