Little breaches add up—to 32,000

Just another quick note here about lax health information security: It's worse than you think.

We've written repeatedly about the number of breaches of 500 or more records reported to the Office for Civil Rights at HHS.

Since September 2009, the American Recovery and Reinvestment Act has mandated that organizations confess these misdeeds. Through May 31, 2011, there have been 281 of these big goofs posted online involving nearly 11 million records.

These high-profile breaches often become big-dollar expenses for the organizations that make the headlines.

Under the stimulus law, however, organizations with breaches involving fewer than 500 records also are supposed to report them to the OCR, and the regulator is to compile all breach information in an annual report to Congress.

That report remains a work in progress, but as of the end of May, HHS had received an astonishing 32,000 breach reports that involved fewer than 500 records, according to the OCR's Rachel Seeger. Of those, HHS received more than 5,500 reports of these little breaches from Sept. 23-Dec. 31, 2009, in its initial, partial year of data collection. More than 25,000 notifications of little breaches were received in 2010, again according to Seeger.

When I asked last week, the OCR didn't have a total number of patient records affected by these lesser breaches or their cause or the types of media that were compromised. But I've asked for an electronic data dump of the 32,000 or so records, and if and when they come, I'll try to add them up and analyze them for another blog post—that is, if the OCR doesn't beat me to it.

As government IT officials are fond of saying, privacy and security are "foundational" to patient trust in health information technology. Unfortunately, given these whopping breach numbers, our health IT security systems are more like sieves than foundations.

Follow Joseph Conn on Twitter: @MHJConn.