Breach List Hits 400 Reports, 19 Million Records

It has been two years since enforcement of the federal breach notification rule began, and in that time covered entities and their business associates have logged 400 large-scale breaches dating back to September 2009, the rule’s effective date.

The breach rule describes a covered entity’s responsibilities to notify victims of a breach to their personal health information. In cases of breach involving the records of 500 or more people, the covered entity must also notify the Office for Civil Rights within 60 days. OCR posts such incidents on its Web site.

In total, the 400 breaches included information on more than 19 million people. The median was 2,200 people; the largest breach recorded involved the loss of a backup tape containing information on more than 4.1 million people.

The theft and loss of hardware, portable media, and paper continue to be the leading cause of breach, accounting for 68 percent of incidents through the period. The second largest category was unauthorized access or disclosure at 20 percent.

More than one breach in five involved a business associate (22 percent), a strong reminder to covered entities that their BA contracts should detail responsibilities in the event of breach.

The industry has been reporting breaches in compliance with an interim final rule. OCR appeared on the verge of publishing a final rule in spring 2010, but it withdrew the rule that summer with little explanation.


  1. The number of affected individuals (19 million) as reported by OCR in their data breach report reinforces the responsibilities of both Provider and Business Associate. For Providers, simply obtaining a signed Business Associate Agreement may not be enough to meet their risk management goals, As a result, additional due diligence requirements may need to be built into the BAA. Likewise, Business Associates (now required to follow the security rule) may find a third party risk analysis valuable both internally and to demonstrate their conformance with the Providers BAA. I touch on this subject in a recent article for Privacy Analytics

    Post a Reply
  2. Yes you’re right, it will depend on the welsingnils of agencies to implement such a system. Such welsingnils may rely on public perceptions of what is or is not desirable, which in turn relies on a public understanding what is at stake in the networking of information and associated identities.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!