This month there is a new name on top of the list of the biggest healthcare data breaches in 2011, the incident is also the second largest healthcare data breach reported to date. The TRICARE healthcare program data breach affected approximately 4.9 million individuals, although the exact total is not yet known as the security breach has not yet appeared on the Department of Health and Human Services ‘Wall of Shame”.
The HHS’ Office for Civil Rights (OCR) publishes data breaches suffered by HIPAA-covered entities if they have exposed more than 500 patient records. The list has been maintained since it became mandatory for HIPAA-covered entities to report data breaches. Since then, approximately 11.8 million individuals have had their Protected Health Information exposed by healthcare providers, health plans, insurers, healthcare clearinghouses, and their vendors.
There are now over 330 entries on the Wall of Shame, and the list is growing at an extraordinary pace. Additionally, the volume of records being exposed in data breaches appears to be increasing. In 2011 alone – and we have not yet started Quarter 4 – there have been five data breaches that have each affected more than 1 million individuals.
Top 5 Healthcare Data Breaches in 2011
TRICARE: | 4.9 million records | Stolen back up tapes |
Health Net | 1.9 million records | 9 Missing server drives |
The New York City Health and Hospitals Corp | 1.7 million records | Stolen back up tapes |
AvMed Health Plans | 1.2 million records | Stolen laptop computer |
BlueCross BlueShield of Tennessee | 1.0 million records | 57 Stolen hard drives |
These data breaches are massive, but the largest healthcare data breach occurred in 2006 when a mega data breach occurred as a result of a laptop computer belonging to the Department of Veterans Affairs being stolen. On that laptop were the records of some 26.5 million veterans. The VA took the decision to encrypt all laptop computers after that mega data breach was suffered.
The Top 5 Healthcare Data Breaches in 2011 could have been Prevented
The largest data breaches of 2011 have all resulted from the loss or theft of computer equipment containing electronic PHI. Had those devices been encrypted, the loss and theft of those devices would not have caused a data breach. The equipment would be in the hands of thieves, but not the data stored on that equipment. That could only be accessed with a security key.
Various devices were lost or stolen, so it is not possible to just encrypt the data on healthcare laptops for instance; data encryption must be used on backup tapes, portable storage devices, mobile phones, tablets, laptops and desktop computers. Data is stored on equipment that is of value to thieves, but the data stored is even more valuable. PHI can be used to steal identities and fraudulently obtain goods, services, credit and tax rebates.
It is not only stored data that is a problem. When data is transmitted electronically, it can be intercepted. Data in transit should also be protected with end to end encryption. Data encryption will not prevent all data breaches, but it will better protect patients and prevent more “mega” data breaches from occurring.