Breaches involving more than 500 patients reached 385 affecting 19,016,807 individuals, according to an analysis by Health Information Privacy/Security Alert of OCR statistics from Dec. 17 through Jan. 17. That represented an increase of five reported breaches affecting an additional 956,976. In the previous month (Nov. 17 Dec. 17). OCR reported 16 new breaches affecting 94,762 individuals.
The month-to-month differences reflect the wide range and effect of the reported breaches.
The analysis found that 303 (79%) of the reported breaches affected under 10,000 patients for a total of 1,577,767 or 3.9% of the total number of patients. Twenty breaches accounted for the vast majority of affected patients (16,694,299).
The statistics do not include the tens of thousands of self-reported breaches affecting fewer than 500 patients that suffer from many of the same issues as the larger breaches.
Paper records continue to be the most frequent source of patient information, accounting for the sole location of a breach for at least 91 incidents affecting 494,363. Paper records were involved in six other breaches as well. Laptops were the sole location for 78 breaches affecting 1,751,631 patients. Laptops were involved in an additional 13 incidents. The loss or theft of backup tapes represented the single source of the most affected patients (5,969,483).
Physical security, not electronic hacking was far and away from the leading reason for a breach. Theft alone accounted for 187 breaches affecting 7,623,538; the loss of patient data was the sole reason for 50 breaches affecting 7,239,015 patients. Electronic attacks were the sole reason for 22 incidents affecting 546,223 patients.
From a strictly HIPAA privacy perspective, 67 violations were solely attributable to unauthorized access/disclosure and affected 636,748 patients.
Business Associates accounted for 84 breaches with theft (29), unauthorized access (26), and loss (18) accounting for most of the breaches.