September marks the three year anniversary of the Department of Health and Human Services Office for Civil Rights (OCR) requirement that healthcare providers and their business associates report large-scale breaches for public online posting.

Since September 2009, 489 breaches affecting 500 or more people have been reported to OCR. These breaches collectively have impacted over 21 million people, who have had their medical records and personal information compromised, lost, or stolen, according to the publicly accessible breach list posted on OCR’s Web site.

Tens of thousands of smaller breaches affecting under 500 people have also been reported to OCR over the last three years, though details on these breaches are not reported on the Web site.

The requirement for healthcare providers and their contractors to report personal health information breaches to OCR was included in the American Recovery and Reinvestment Act of 2009. The goal of the online breach list is to enhance patient privacy by holding healthcare providers more publicly accountable for the breach or loss of patient’s health information.

A total of six healthcare entities have had single breaches that affected over 1 million people since 2009, three resulting from theft of the information, two from loss of the information, and one unknown cause, according to OCR.

The largest breach to date involved the theft of 4.9 million individuals’ medical records in September 2011. A San Antonio-based employee of the Science Applications International Corp., a business associate of the federal government’s TRICARE health provider, told police he was transferring back up data tapes containing 4.9 million patient medical records from one federal facility to another when his car was broken into and the tapes stolen.

The most common cause for the large-scale breaches was theft, accounting for 55 percent of the 489 incidents. Unauthorized access/disclosure of protected health information accounted for 20 percent of the incidents, followed by loss of information at 11 percent, hacking at 6 percent, improper disposal at 5 percent, and unknown/other at 3 percent.

A total of 21,021,132 people were impacted by the breaches, according to OCR.