Breaches of Personal Health Data Increase, CT in Middle of Pack

An excess of 20 million patient records have been stolen, hacked, lost, improperly disposed of and/or subjected to unauthorized access since the August 2009, according to Healthcare IT News.   The web-based publication compiled data supplied by Department of Health and Human Services (HHS) since the August 2009 Breach Notification Rule requiring HIPAA-covered entities provide notification after a data breach involving 500 or more individuals. A report by Redspin.com, using HHS data, indicates there were 385 reported breaches of protected health information in 2011, that 59% of breaches involved a business associate, 39% occurred on a laptop or portable device, and the five largest incidents resulted in slightly more than half of the data breached.

States with the highest number of patient records estimated to have been subject to data breach (exceeding 176 people per thousand population) include New Hampshire, Utah, Virginia.  The next group of states, with between 87 and 176 people per thousand, includes California, New York, Arizona, Florida, South Carolina, and Tennessee.

Connecticut is in the middle tier of states, with between 16 and 48 people per thousand population having had their healthcare data compromised.

Earlier this year, Attorney General Jepsen announced he is seeking more information from Hartford Hospital about why unencrypted personal information and protected health information of approximately 9,000 patients was stored on a laptop apparently stolen from a third-party vendor.

Back in 2010, a healthcare data breach in Connecticut that exposed medical information for more than 400,000 individuals resulted in action by former Attorney General Richard Blumenthal, reportedly  the first time that a state attorney general  used the new provisions of the HITECH Act of 2009 to sue a healthcare provider for HIPAA violations.  In that instance, an external hard drive containing unencrypted medical records went missing from Health Net of Connecticut. Another interesting aspect, it was reported,was that the  Attorney General sought not only monetary awards but also a court order forcing Health Net to encrypt all portable electronic devices.

In reviewing the causes of the data breaches of health care records nationwide, it is estimated that 50% were as a result of theft, 18% due to unauthorized access or disclosure, 12% due to loss, 9.5% due to a combination of factors, 6% due to hacking and 4.6% due to improper disposal.

The past few years have brought massive reported breaches, such as the 4.9 million records lost by TRICARE Management Activity (a Department of Defense health care program) when backup tapes disappeared, 1.9 million records lost when hard drives disappeared from HealthNet, and 1.7 electronic medical records stolen from the New York City Health and Hospitals Corporation's North Bronx Healthcare Network.