As I’ve discussed before, one of the requirements of the HITECH Act is for the Secretary of the Department of Health & Human Services (HHS) to publish a list of all breaches of healthcare data covered by the HIPAA security rule on a yearly basis. The first such publication has been made, covering the period from 22-Sep-09 thru 18-Jan-10; you can see it here.

I wanted to take a moment to delve into these data to see what lessons we might glean from them. Overall, the data set covers 36 breaches impacting more than 1M records; the breach impact ranges from 501 to 500,000 records. Here is a look at how it was distributed by the 15 states impacted.

Count by State

Records by State

As you can see, the most no. of breaches occurred in CA – more than any other three states combined; this is probably a reflection of the state data breach laws there. However, the biggest single breach (of 500,000 records) occurred in TN, followed by 359,000 records breached in FL; combined, this represents about 80% of the total no. of breached records reported.

Count by Method

Records by Method

There were eight primary breach methods reported, plus two secondary methods. Focusing on the primary methods, theft was overwhelmingly the most reported, not surprisingly; this is distantly followed by loss (presumably non-malicious) and unauthorized access. Surprisingly, only two reported incidents involved malicious outsiders attacking the organization over the internet (via hacking and phishing).

Count by Location

Records by Location

The data breached covered 15 primary locations (i.e., where the data were stored), plus four additional secondary locations. Endpoints were the most common: laptop (9) + desktop  (6) + computer (2). [Not sure why the generic “computer” appears in this list.] The 2nd most common were portable electronic (4) and USB (1) devices. More interestingly, fully 75% of these breaches might have avoided notification requirement through the use of encryption; those include = backup (2) + CDs (1) + computers (17) + HDs (1) + server (1) + portables (5). It’s also interesting to note the disproportionate impact of portable hardware, including external hard drives, laptops and portable devices; all told, these factored in 18 incidents (50%) for 935,624 records (87.1%).

One last point. Overall, the total no. of incidents reported, at 36 for approximately four months, doesn’t seem so bad – right? However, a cursory glance at the data collected by datalossdb.org suggests that the HHS does not have the full picture just yet – not sure why (reporting method? period? criteria?), but we’ll have to look into that at some other time.

Oh, and if you have a private practice in Torrance, CA – 09/27 was a bad day for you all. And Mom – your clinic got hit, so you might want to go have a chat with them!