“Small” Data Breaches Top 9,100 in First Year of Reporting
Reports of large-scale data breaches are commonly in the news—a watch list of sorts has begun over the Health and Human Services Web site that tracks them.
HHS, however, also receives reports of breaches involving fewer than 500 individuals. The department is not required to report these data publicly, but a glimpse of the totals occurred in paperwork related to the federal 2012 budget.
In a written justification of its 2012 budget request, the Office for Civil Rights reports that as of September 30, 2010, it had received 9,109 reports of breaches affecting fewer than 500 individuals. That represents one complete year of reports—an average of 25 reports per day.
The Back Story on Breach Reporting
Breach reporting is a provision of the HITECH Act, which modified HIPAA to require that covered entities report breaches of unsecured protected health information to HHS. Breaches involving 500 or more people must be reported within 60 days of their discovery. HITECH directs HHS to publish these reports on its Web site. (It also requires covered entities to notify the affected individuals and the major media in the region.)
Covered entities must report breaches affecting fewer than 500 individuals annually, within 60 days of the end of the calendar year in which the breaches occurred. HHS is not required to publish these reports; HITECH only stipulates that the department compile them for annual reporting to several Congressional committees.
OCR mentions the reports only in connection with its 2012 budget request. The office, which is responsible for enforcing the HIPAA privacy rule, is requesting additional money for investigations. A current lack of resources has prevented it from investigating reports of breaches affecting fewer than 500 individuals. These reports “are treated as discretionary,” OCR writes, “and only investigated as resources permit.”
In sheer number, the reports of “small” breaches swamp those of the much-publicized large breaches. As of September 30, 2010, covered entities had reported fewer than 200 breaches affecting 500 or more individuals. However, OCR does not mention how many individuals were affected in the small breaches, so it is not possible to compare the impact.
The 9,109 reports also dwarf the expected number of breaches that OCR put forth in its 2009 interim final rule enacting the HITECH modifications. Using information from datalossdb.org, OCR had projected 106 breach reports annually (50 involving fewer than 500 individuals), a number it admitted was a best-guess estimate given the lack of comprehensive historical information.