After One Year of Breach Reporting, Theft Still Leads
With one year of breach reporting on the books this month, theft remains the most common cause of data breach in healthcare. Of the 241 large-scale breaches reported to the Department of Health and Human Services by February 20, 2011, 136 (56 percent) involved theft. Of those, nearly 100 involved a laptop, desktop computer, or network server.
Lost equipment or records accounted for an additional 36 breaches. Together, loss and theft account for more than 7 in 10 of the breaches on file, involving unsecured, personal information on an estimated 6.6 million people.
This is a far more mundane picture than fears of cyber theft conjure. Hacking and IT incidents accounted for just 6 percent of breaches and 6 percent of people affected by breach during the period.
The incidents covered the period from September 2009 through December 2010. The breaches were reported between February 2010 and February 2011.
Final Rule Still to Come
Organizations have been reporting breaches under a federal rule on breach notification that took effect February 2010. The rule resulted from one of several privacy-related provisions in the American Recovery and Reinvestment Act of 2009.
Under the rule, organizations must report all breaches of unsecured protected health information to Health and Human Services at least annually. Breaches involving 500 or more people must be reported within 60 days. The department posts these reports publicly.
Organizations must also notify the individuals whose information is breached.
The industry is currently working under an interim final rule. A final rule was in the offing last July but was pulled without explanation. Health and Human Services has not said when a final rule will be published, but there is some expectation it could come in the next one or two months.
The most watched-for provision in the final rule will be the so-called harm threshold, which under the interim rule allows the organization to determine whether a breach represents significant risk of harm to the individuals involved. If the organization determines the risk of harm is slight, it may forego notification.
The threshold is intended to reduce administrative burden in instances where little risk of harm exists. However, those opposed to the provision argue it reduces transparency and that such a decision should not be in the hands of the organization.