Nearly 21 million individuals have had their medical records compromised in breaches large enough to require public reporting to the Office for Civil Rights at HHS.
Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website
The breach notification and reporting mandate was part of more stringent privacy and security provisions of the American Recovery and Reinvestment Act of 2009.
Tens of thousands of breaches that involve fewer than 500 records have also been reported, according to the Office for Civil Rights, but details of these lesser breaches are not required to be posted to the website.
Six healthcare organizations have suffered breaches compromising 1 million records or more.
The list is topped by an incident last September involving the loss of 4.9 million records by an employee of Science Applications International Corp. He reported to police that some backup tapes carrying data on the medical treatment of military personnel kept by the Tricare Management Activity were stolen from his car in Austin, Texas
Loss of data by a vendor is nothing unusual. In 100 of these larger breach incidents—roughly 21%—a business associate of a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, also was affected in the breach, Office for Civil Rights data show.
In total, the records of 20,970,222 individuals have been potentially exposed in these major breaches thus far.
The median size of a breach on the list involves the records of 2,184 people; the average is 43,963.
Theft is the most commonly reported breach type (54%), followed by unauthorized access or disclosure (20%), loss (11%), hacking (6%), improper disposal (5%) and other/unknown (4%).