Almost twice as many people were affected by healthcare data breaches in 2011 as in 2010, according to a report released last week. The total number of breaches dropped by 32% to 145 but the number of people affected by those breaches doubled to 10.8 million.
The drop in occurrences reflects increased security controls and investigation procedures put in place to uncover data breaches.
The increase in the number of people affected by breaches signals that individual incidents are hitting wider targets. The latest tally includes the loss of a single backup tape containing five million records.
The findings are based on a review of breaches reported to have occurred in 2011according to the Department of Health and Human Services' website. The self-reporting of breaches is a requirement for businesses under the Health Information Technology for Economic and Clinical Health Act (HITECH).
The data shows that California had the highest number of breaches in 2011 with 15, followed by Texas (11), Illinois (8), Florida (7), and New Jersey (7).
The causes are numerous and range in severity. Theft is by far the most common, accounting for more than half of all breaches:
- Theft: 52%
- Unauthorized access: 22%
- Loss: 11%
- Hacking: 6%
- Improper disposal: 5%
- Unknown: 3%
- Other: 1%
Breaches that involved the loss of healthcare data affected the most individuals: 6.1 million. Theft affected 2.4 million, unknown cause affected 1.9 million, and loss affected 1.2 million. Unauthorized access, hacking, improper disposal, and others combined affected about 464,000 individuals.
The association between laptop computers and healthcare data breaches seems obvious, but access to other portable electronic devices such as thumb drives, backup tapes, CDs, DVDs, and X-Ray films accounted for 28% of the breaches and affected 8.2 million people.
This category of information assets is expected to continue to pose a risk due to the mobility and small size of the devices, which makes them more likely to be lost or stolen, the report says.
As protection, healthcare organizations should evaluate if encryption is applied and consider transferring data via a cloud provider.
Paper and laptops account for 27% and 22% of the beaches, respectively, but combined accounted for only 5% of the individuals affected by breaches. The study says this is a result of organizations taking steps to remove or encrypt protected health information.
Unauthorized access and improper disposal are most likely to trigger paper breaches. Healthcare organizations should evaluate their paper management procedures. Theft is the biggest threat to laptops. Encryption tools should be deployed to protect personal health information.