“Small” Data Breaches Top 9,100 in First Year of Reporting

Reports of large-scale data breaches are commonly in the news—a watch list of sorts has begun over the Health and Human Services Web site that tracks them.

HHS, however, also receives reports of breaches involving fewer than 500 individuals. The department is not required to report these data publicly, but a glimpse of the totals occurred in paperwork related to the federal 2012 budget.

In a written justification of its 2012 budget request, the Office for Civil Rights reports that as of September 30, 2010, it had received 9,109 reports of breaches affecting fewer than 500 individuals. That represents one complete year of reports—an average of 25 reports per day.

The Back Story on Breach Reporting

Breach reporting is a provision of the HITECH Act, which modified HIPAA to require that covered entities report breaches of unsecured protected health information to HHS. Breaches involving 500 or more people must be reported within 60 days of their discovery. HITECH directs HHS to publish these reports on its Web site. (It also requires covered entities to notify the affected individuals and the major media in the region.)

Covered entities must report breaches affecting fewer than 500 individuals annually, within 60 days of the end of the calendar year in which the breaches occurred. HHS is not required to publish these reports; HITECH only stipulates that the department compile them for annual reporting to several Congressional committees.

OCR mentions the reports only in connection with its 2012 budget request. The office, which is responsible for enforcing the HIPAA privacy rule, is requesting additional money for investigations. A current lack of resources has prevented it from investigating reports of breaches affecting fewer than 500 individuals. These reports “are treated as discretionary,” OCR writes, “and only investigated as resources permit.”

In sheer number, the reports of “small” breaches swamp those of the much-publicized large breaches. As of September 30, 2010, covered entities had reported fewer than 200 breaches affecting 500 or more individuals. However, OCR does not mention how many individuals were affected in the small breaches, so it is not possible to compare the impact.

The 9,109 reports also dwarf the expected number of breaches that OCR put forth in its 2009 interim final rule enacting the HITECH modifications. Using information from datalossdb.org, OCR had projected 106 breach reports annually (50 involving fewer than 500 individuals), a number it admitted was a best-guess estimate given the lack of comprehensive historical information.


  1. This is an incredible and incredilby useful report. Those of us in the industry have suspected for a long time that the breaches reported to HHS were the tiniest tip of a gigantic iceberg. This provides the smoking gun.
    It is critical that OCR publish some reports on small breaches by small organizations. There a million small holes in this healthcare databoat and currently no one is trying to plug them. People need to see that organizations just like theirs are being audited and that there are costs for breaches. This does not necessarily have to be a fine but the cost of remediation as well as the public relations blackeye. Small breaches have high costs for the patients involved as well as the organization that had the leak.
    The big fines for the big companies help spread the word but over 9,000 small breaches reported indicates a huge problem that is not being addressed.

    Post a Reply
  2. I agree, fines are not always the answer and we have a severe problem that is not widely known or being addressed. These small breachs are just as important as the big ones. Just not big news – if only 400 persons information was breached and it was not reported as a large breach – the effects can still be the same to the people whose information was stolen, hacked or otherwise compromised. What happens next? Are they being notified and to what resolution, what recourse do they have? Once this information is out there, the people are subject to identity theft and medical identity theft which can be hard to resolve on many levels. This is a bigger problem then most people realize until it hits at home.
    This problem affects many industries – insurance companies, hospitals, providers, other patients (rise in health care costs), and the patient whose information has been compromised. This problem affects all areas of HIM information sources and those who provide and distribute health care information. There is no “quick” fix, but each indivual person can mitigate the problem, by checking their EOB’s when received, acting on the information when given notification that their information was compromised. Also by the industry providing education to people on how to help prevent/combat the problem when or if it occurs.

    With the advent of new technology and ways for patients to access their information via “portals”, this may become a more wide scale issue. Perhaps with new technologies and education we can shore up the dam before it breaks.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!