With 2013 in the books, it’s time to look back at some of the biggest health information privacy blunders of the year. The list below represents the ten largest HIPAA data breaches as tracked by the U.S. Department of Health & Human Services (HHS), based on the total numbers of affected individuals.
While penalties haven’t been handed down and lawsuits settled, each of the below likely represent millions of dollars in fines and settlements. For example, during 2013 HHS handed out penalties ranging from $150,000 to $1.7 million. Potential class action lawsuits and the cost of providing fraud protection for those affected can quickly propel those costs into the tens of millions or even billions.
So on that happy note, let’s dive in!
#1: Advocate Medical Group
People Affected: 4,029,530
Date of Breach: 7/15/2013
In the 2nd largest data breach ever reported through the HHS database, four laptops containing more than 4 million patient records were stolen. Advocate Medical Group did not notify affected patients until more than a month after the theft, and stated the laptops were password protected. However, this did little to assuage fears, as device passwords are easily overcome. The lost data included social security numbers, which places the patients at higher risk of identity theft.
The total number of affected individuals is eclipsed only by a 2011 incident in which 4.9 million medical records were compromised when backup tapes were reportedly stolen from an employee’s car. A class action lawsuit for the 2011 event seeks $4.9 billion ($1,000 for each person affected).
#2: AHMC Healthcare
People Affected: 729,000
Date of Breach: 10/12/2013
In October thieves accessed a sixth-floor, video-monitored office to steal two laptops, which contained Medicare patient data from six AHMC hospitals in California. The theft occurred on a Saturday and was not detected until Monday. The compromised patient data included names, diagnoses, and insurance information. About 70,000 also had their Social Security numbers compromised.
AHMC stated they had recently completed a 3rd party security risk assessment, but had not yet taken the step of encrypting all employee laptops.
#3: Texas Health Harris Methodist Hospital Fort Worth
People Affected: 277,014
Date of Breach: 5/11/2013
In a bizarre incident, sheets of microfiche containing patient records from the ‘80s and ‘90s were found in several Fort Worth public areas. Upon investigation, Texas Health Fort Worth found that their vendor Shred-it had failed to destroy the microfiche as contracted. The extent of the lost microfiche is unknown, but is expected to include Social Security number and other private data.
#4: Indiana Family & Social Services Administration
People Affected: 187,533
Dates of Breach: 04/06/2013-05/21/2013
A computer programming error by a business associate wreaked havoc on Indiana FSSA’s client mailers. The program glitch caused extra pages from client notifications to be mixed into mailings to other clients, compromising medical and financial information for up to 187,533 clients, and Social Security numbers for almost 4,000 of them.
#5: Cogent Healthcare, Inc.
People Affected: 32,151
Dates of Breach: 05/05/2013-06/24/2013
Patient medical treatment history was compromised when a Cogent Healthcare business associate stored the data on a non-secure site, opening up public access to the records for more than a month. The business associate, a transcription company, left a firewall open, making the supposedly-private website housing the records accessible to the human users and webcrawlers. Some records were subsequently indexed by Google.
#6: Orthopedics & Adult Reconstructive Surgery
People Affected: 22,000
Dates of Breach: 03/01/2013 – 03/13/2013
While few details have been disclosed about this breach, it appears that patient data was compromised when a business associate lost a portable device. Ironically, it appears that the records may have been lost in the process of transferring them to a different storage platform to better comply with regulations.
#7: Raleigh Orthopaedic Clinic
People Affected: 17,300
Date of Breach:1/15/2013
In another bizarre incident, a contractor hired to transfer x-rays to electronic format instead sold the x-ray films to be scrapped for their silver. The network of clinics has determined they were victims of a scam. Unfortunately, the final state of the x-rays are unknown, but are believed to have been destroyed.
#8: Delta Dental of Pennsylvania
People Affected: 14,829
Date of Breach: 3/20/2013
In another mailing mishap, a Delta Dental of Pennsylvania letter to an employer containing a listing of employee names and SSNs arrived opened, with several pages missing.
#9: Lucile Packard Children’s Hospital
People Affected: 12,900
Date of Breach: 5/8/2013
In this data breach at a Stanford University hospital, an older, out-of-use laptop was stolen from an access-controlled office. The stolen laptop, which was damaged and scheduled to be taken out of circulation, was not encrypted, leaving an unknown amount of pediatric patient data at risk.
#10: United HomeCare Services, Inc.
People Affected: 12,299
Date of Breach: 1/8/2013
In another case of encryption coming to late, a United HomeCare laptop scheduled to be encrypted was stolen from an employee’s vehicle, compromising health records and personal information of patients and family members. Like the many other HIPAA violations due to stolen laptops, the theft appeared to have been random, and not a “targeted attempt to steal information.”
The Top Two Ways to Stay Off This List
While the number of impacted individuals will likely grow as additional violations are uncovered, so far 2013 included more than 140 separate HIPAA violations that involved more than 500 people. In all, more than 5.7 million individuals were reported to have been effected.
When you dig into the full list of the violations, some clear patterns appear. Around 30% of the violations were due to theft or loss of an unencrypted laptop or portable device. And, almost 20% were due to a business partner.
For HIPAA-covered institutions, the two best recommendations I have for keeping yourself off this list during 2014 are:
- Encrypt any devices that touch patient data. This takes a concerted effort and investment, but as you can see from half of the top ten breaches, electronic devices get stolen, and password protection is never enough.
- Choose business associates who value data security and HIPAA compliance as much as you do. Ideally, choose one who will guarantee it.