Breach List Hits 400 Reports, 19 Million Records
It has been two years since enforcement of the federal breach notification rule began, and in that time covered entities and their business associates have logged 400 large-scale breaches dating back to September 2009, the rule’s effective date.
The breach rule describes a covered entity’s responsibilities to notify victims of a breach to their personal health information. In cases of breach involving the records of 500 or more people, the covered entity must also notify the Office for Civil Rights within 60 days. OCR posts such incidents on its Web site.
In total, the 400 breaches included information on more than 19 million people. The median was 2,200 people; the largest breach recorded involved the loss of a backup tape containing information on more than 4.1 million people.
The theft and loss of hardware, portable media, and paper continue to be the leading cause of breach, accounting for 68 percent of incidents through the period. The second largest category was unauthorized access or disclosure at 20 percent.
More than one breach in five involved a business associate (22 percent), a strong reminder to covered entities that their BA contracts should detail responsibilities in the event of breach.
The industry has been reporting breaches in compliance with an interim final rule. OCR appeared on the verge of publishing a final rule in spring 2010, but it withdrew the rule that summer with little explanation.