2010 was a banner year for HIPAA breaches.
The CMS started keeping track on their website.
This is an interesting way to gather some data.
First, realize that only breaches greater than 500 get reported to the CMS.
Second, realize there are some (big) companies that are able to delay reporting through some legal wrangling. Health Net, an insurance has been able to delay (for how long?) reporting their breach by “missing” server hard drives. The California Department of Managed Healthcare reports this breach affects 1.9 individuals.
But, since that is not reported, we won’t include their data in our stats.
There are just under 250 reported breaches on the website.
The breakdown is:
Obviously theft is the largest culprit.
Next we look at a “device” breakdown:
|Portable Electronic dev||35|
Interesting to note that paper records are #2.
I would lump portable electronic device and laptop together as they can both dealt with in the same way.
Desktop computers are also interesting, as they signal theft or improper disposal, yet again, can be handled just as laptops.
The server breaches were mostly “hacking/unauthorized access”.
In future posts I’ll delve into how to protect your practice from these mistakes.
Keep this in mind: 500 patients is all you need in order to report your breach to the CMS and be on the not-so-flattering website.
How many patients are in your EHR?