HHS' civil rights office for the first time has posted brief descriptions of breaches of personal health data reported by organizations under the requirements of the American Recovery and Reinvestment Act of 2009, also known as the stimulus law.
Covered organizations must tell HHS within 60 days when they experience breaches of health data affecting 500 or more people, and HHS in turn must post the events online for public viewing.
The inaugural list is made of 36 reports from sources that include private medical practices, hospitals, health systems and public agencies. The breaches affected as few as 501 people and as many as 500,000. The most common cause was theft of computers, servers, hard drives, backup tapes and other storage media. Other breaches involved errant e-mail, misdirected postcards and phishing scams. In a few cases, it was a business associate rather than the healthcare organization itself that was responsible for the breach.