Blog post

Year End 2010: Healthcare Breach Synopsis

By Jack Santos | December 27, 2010 | 0 Comments

One of the healthcare IT hallmarks of the last 2 years has been the increase in regulatory reporting requirements for healthcare providers, not only because of the 2009 HITECH act, but also because of jurisdictional reasons (FTC reporting versus HHS reporting) and reporting at the state and local level.  In fact, just a glance at the regulations (timing, trip points, how to report) makes one realize how complex it has become, and how easy it is to inadvertently run afoul of compliance dictum.  Ahh… but that is for another rant… post.

One of the advantages to this trend is the increase in publicly available information.  One such source is the HHS website for healthcare breaches affecting over 500 individuals.  This post is meant to be a random walk through that data, highlighting some interesting numbers and correlations.  The source can be found here: .

First a few disclaimers. 

This is a blog post. It is entirely my opinion and observations, has not been peer reviewed, and is the result of about a 1/2 hours worth of analysis of the facts as delivered by the Federal Government and the self reporting of affected entities.  The numbers, since the self reporting data is messy, reflects some overlap and interpretation of the data.  In fact, the downloadable file from the HHS website does not match the browsable format – with a discrepancy of at least 15 entries.  That said, the data is still very interesting.

In summary, there were 155 reported breaches in 2010  (again, affecting 500 or more individuals).  The last reported entry was 11/9 – so more is most certainly on the way (I’ll update this post as they come in during 2011).

2,904,579 individuals impacted (about 1% of the US population).  A phenomenal amount, given this is first year data in a rapidly changing field.

Where: by State

Not surprisingly, the larger population states had the most breaches reported (by number):

New York with 15, and California and Texas with 13 breaches each.

Surprisingly, some of the lower populated  regions did make a showing:  Kentucky with 7, and DC with 3, stood out.

NY 15
TX 13
CA 13
IL 9
MA 7
KY 7
OH 6
CT 6
TN 5
PA 5

What: by Hardware

Surprise!  (or not).  Paper breaches challenged laptops for dominance in terms of type of breach media. Email oriented breaches came in low – but I am sure reflects the lack of use (ostensibly for HIPAA and other reasons) of email as a healthcare medium.  Notably “EMRs” were highlighted by some reporting entities as the breach source.  The broader moniker of “Personal Electronic Devices” may include handhelds/palm/pad devices.

46 Laptops
39 Paper
26 Desktops
23 Personal Electronic Devices
13 Servers
5 Emails

How: by Modus Operandi

Thefts came out on top.  Inadvertent loss vied with unauthorized access (ala wikileaks) – emphasizing how far we need to go on identity and access management.  Note, too, the lack of dominance of hacking.  BTW – Hacking was, in some cases, lumped with “IT incident” – a dubious term at best.

84 Thefts  
32 Losses  
29 Unauthorized access
10 Improper disposals
IT incident/ Hacking 



Halls of Shame: By State

Finally, what I’ll call the Halls of Shame.  I’ve summarized breach numbers in terms of individuals affected, by state.  Sure, New York has the most reported number, but Massachusetts has by far the most, due in large part to one high profile breach.  Puerto Rico is a similar story (and #2 in our state ranked Halls of Shame).

MA   871034
PR   400000
PA   315864
NY   199651
IL   199569
CA   147194
CO   106119

Halls of Shame: By Covered Entity

The chart below is directly from the HHS database.  Note how many third  party entities are involved in breaches (especially in the top 6, by individuals affected).  Possibly this reflects that breaches are more likely reported when there is a quasi check/balance due to two entities in the chain of custody.  Or the dispersion of responsibility connotes increased risk.  You decide.  Interestingly enough, one entry reflects finger pointing within  a state entity across state agencies.

Name of Covered Entity State Business Associate Involved Individuals Affected Date of Breach Type of Breach Location of Breached Information
South Shore Hospital MA Iron Mountain Data Products, Inc. (now known as Archive Data Solutions, LLC) 800000 2/26/2010 Loss Portable Electronic Device, Electronic Medical Record, Other
Puerto Rico Department of Health PR Triple-S Management, Corp.; Triple-S Salud, Inc. 400000 9/21/2010 Unauthorized Access/Disclosure, Hacking/IT Incident Network Server
Keystone/AmeriHealth Mercy Health Plans PA   285691 9/20/2010 Loss Portable Electronic Device
Emergency Healthcare Physicians, Ltd. IL Millennium Medical Management Resources, Inc. 180111 2/27/2010 Theft Portable Electronic Device, Other
Lincoln Medical and Mental Health Center NY Siemens Medical Solutions, USA, Inc. 130495 3/24/2010 Loss Other
Department of Health Care Policy & Financing CO Governor’s Office of Information Technology 105470 5/17/2010 Theft Desktop Computer
Providence Hospital MI   83945 2/4/2010 Loss Hard Drives
Cincinnati Children’s Hospital Medical Center OH   60998 3/27/2010 Theft Laptop
Praxair Healthcare Services, Inc. CT   54165 2/18/2010 Theft Laptop


No doubt, as EMRs take hold, and electronic reporting expands, we’ll see some interesting long term trends from this data.  I can’t wait.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed