The latest offender is the Oklahoma State Health Department. It reported recently that a laptop was stolen from an employee's car on April 6. To make matters worse, the aforementioned 133,000 records on that laptop were from the state's birth defects registry.
The magnitude of the loss will qualify the state agency for free admission to the public rogues' gallery kept by the Office for Civil Rights at HHS. The list is reserved for healthcare organizations that have experienced security breaches involving 500 or more patient records.
So far, there are 256 breaches on the list, which the OCR began compiling in September 2009 pursuant to enhanced privacy and security requirements of the American Recovery and Reinvestment Act of 2009. In total, these breaches have put 10.2 million patient records at risk, with a mean exposure of 2,292 records per breach.
By my unofficial count, 106 of these "worst of the worst" breaches, or 41%, involved the loss of some form of portable device, including 66 laptop computers.
The Privacy and Security Tiger Team on Wednesday submitted a series of recommendations to the federally chartered Health IT Policy Committee. One of them was a call for HHS to "shine a light" on the problem of insecure data at rest. They want HHS in its next round of meaningful-use criteria to require that providers address encryption/security functionalities for data at rest and "attest" that they've reviewed their data security requirements under the Health Insurance Portability and Accountability Act. The Tiger Team's own letter of recommendations to the ONC cites the number of breaches on the OCR "wall of shame," adding "there have been more than 14,000 breach reports involving less than 500 affected individuals."
Tiger Team Chairwoman Devin McGraw pointed out to me in an e-mail that the EHR certification criteria for Stage 1 now in effect requires that these systems be able to encrypt data at rest. But the Tiger Team stopped short of recommending that an encryption use requirement be baked into the Stage 2 meaningful-use criteria now being developed.
"The team recognized that covered entities may reasonably use different approaches for protecting data at rest depending on the location, portability and immediate use of the data," McGraw said during the Health IT Policy Committee meeting. McGraw serves as director of the Health Privacy Project at the Center for Democracy and Technology.
Sad to say, but I'm beginning to doubt whether the industry's lax attitude toward data security is to going to change until the federal government puts a stake in the ground and requires encryption compliance.