Healthcare data breaches affected 10.8M Americans in 2011, double prior year

August 22, 2012

Theft was the No. 1 cause of data breaches, accounting for 52% last year. Unauthorized access accounted for 19%. Just 6% of breaches happened due to hacking.

Nearly 11 million people in the U.S. had their healthcare data lost or stolen last year, almost twice as many as the previous year.

The number of reported data breaches fell 32% to 145 last year, however, which could mean that organizations have improved their security controls and investigative procedures, according to a report by accounting and consulting firm Kauffman, Rossin & Co.

Theft was the No. 1 cause of data breaches, accounting for 52% last year. Unauthorized access accounted for 19%. Just 6% of breaches happened due to hacking.

Laptops and paper records were the most frequent types of assets compromised in breaches, but mobile devices are also vulnerable and may pose the greatest risk in the future due to their small size and increasing ubiquity, according to the report.

The number of breaches involving email was low, because email encryption has become a “common, cost-effective technology,” the report says.

About one in five breaches occurred at a business associate, meaning that organizations protecting health information should assess their vendor management programs for weaknesses.

The report's author, Jorge Rey, CISA, CISM, CGEIT, reviewed and analyzed all data breaches that were reported to the U.S. Department of Health and Human Services during the past 2 years. Self-reporting breaches became a requirement for businesses under the Health Information Technology for Economic and Clinical Health Act in 2009, also known as HITECH.

Rey last year penned a column in Medical Economics that featured a five-step plan physicians should follow to prevent data breaches in their practices.

“As a physician, your biggest IT concern should be to keep desktops, laptops, and mobile devices with patient data out of the hands of thieves and unauthorized individuals,” Rey wrote. “The physical loss of this equipment might not be harmful, but having to notify your patients and the U.S. Department of Health and Human Services could be.”