Protected health information breach analysis

Redspin released an analysis of all protected health information breaches publicly recorded between August 2009 and the end of 2010, as per the interim final breach notification of the HITECH Act.

A total of 225 breaches of protected health information affecting 6,067,751 individuals have been recorded since the interim final breach notification regulation was issued in August 2009 as part of the HITECH Act.

However, these numbers only include breaches that affected more than 500 individuals. The number of breaches that affected less than 500 individuals must also be reported to the Secretary of Health and Human Services (HHS) but are not publicly available.

Redspin’s analysis focuses on single breaches affecting more than 500 people. Such large scale breaches must be reported on a timely basis to individuals, the media and the HHS Secretary according to the HHS Office of Civil Rights’ regulations.

The regulations also require business associates of covered entities to notify the covered entity of such breaches at or by the business associate.

Selected findings from the report include:

• 43 states, D.C. and Puerto Rico have suffered at least one breach affecting over 500 individuals.
• ~27,000 individuals, on average, are affected by a breach.
• 78% of all records breached are the result of 10 incidents, five of which are the result of theft of common storage media e.g. desktop computers, network servers, and portable devices.
• 61% of breaches are a result of malicious intent.
• ~66,000 individuals, on average, are affected by a single breach of portable media.
• 40% of records breached involved business associates.