In six months, HHS has posted information about 64 healthcare organizations that have suffered breaches of patient medical records extensive enough to warrant public posting under the requirements of the American Recovery and Reinvestment Act of 2009, also known as the stimulus act.
Posting dates range from September 2009 through March 2010.
Under the stimulus act, HHS is obliged to post a list of breaches of so-called “unsecured protected health information” if the breach involves the records of 500 or more individuals. Among the more common offenders, there are 23 hospitals on the list, 13 health plans, 13 physician offices and four clinics. The average physician office breach affected 4,496 individuals while the average hospital breach involved 6,251.
The median size of breach across all 64 organizations reporting was 2,667 records. The average breach would be meaningless, considering the range, with the upper extremes nearing almost 1 million records.
Health plans, in fact, had three of the top five breaches and—far and away—the two worst. Blue Cross and Blue Shield of Tennessee had more than 998,000 records exposed and AvMed of Florida, owned by SantaFe HealthCare, had 359,000 records, according to the posting.
Overwhelmingly, theft of a record storage device was the most common type of breach, representing roughly two-thirds of those listed, while hackers accounted for just two breach incidents, or about 3%. Laptop computers were the most frequently stolen data storage device, representing 26% of the breaches reported, followed by paper records, 19%; and desktop computers, 16%.
California, home to the first state breach-notification law, had the most reported incidents, at 20%, followed by Texas, 6%.