Top data breaches involved medical records

Three of the top six “most significant” data breaches of 2011 involved patient medical records, according to the San Diego-based Privacy Rights Clearinghouse.

The healthcare breaches topping the list were at Sutter Health; Tricare Management Activity with an assist by Science Applications International Corp.; and Health Net, and involved more than 11 million records combined.

According to a clearinghouse statement, 2011 has been a “significant year” for data security violation, with 535 breaches involving a combined total of 30.4 million sensitive records already on the list this year, including “some of the biggest data breaches in our history.” The chronology counts records that contain data that might be useful to identity thieves, including Social Security, driver's license and financial account numbers as well as medical information, the association said.

Since 2005, when the organization began compiling its Chronology of Data Breaches , 543 million records have been breached, “a conservative number,” Beth Givens, clearinghouse director, said in a news release.

The American Recovery and Reinvestment Act of 2009 required healthcare “covered entities” to report breaches of 500 or more records containing patient-identifiable information to the Office for Civil Rights at HHS and post basic information about the breaches on a public website, but information about tens of thousands of lesser breaches, though reported to the civil rights office, are being withheld by HHS despite requests by Modern Healthcare under the Freedom of Information Act.

According to Givens, nondisclosure of breaches remains commonplace.

“We generally learn about breaches that garner media attention,” Givens said. “Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our chronology is only a sampling.”

Givens, in a telephone interview, said the three major healthcare breaches on the list were “all easily preventable.”

“That speaks to two things,” she said. “One is lack of training and the other is not enough attention is being paid to the security of healthcare information. Why was the data not encrypted? We wouldn't be having this conversation if it had been."

And one more thing, Givens said, “Why, in this day and age is the Social Security number used as both an identifier and an authenticator? If the Social Security number wouldn't be useful to identity thieves, we wouldn't be in the mess we're in today.”

As a consequence, she said, “many medical breaches have what I call the triple whammy.” That is, not only is sensitive medical information exposed, but often so, too are the patient's Social Security number and date of birth, Given said. “With the Social Security number and date of birth, it's useful for identity thieves, and with the medical informant, to medical identity theft.”