Year closes on a note of breach shame

Three-eighty. Three-eighty. Do I hear four hundred?

With 2011 winding down, there are now 380 major data breaches involving 500 or more patients' records listed on the "wall of shame" website kept by HHS' Office for Civil Rights.

So far, from the first wall postings in September 2009 through the latest on Dec. 8 this year, there have been 18,059,831 "individuals affected," and even that massive number is an undercount of the breach problem.

First, the civil rights office hasn't yet released the records of tens of thousands of breaches it has received under a federal reporting mandate on breaches affecting fewer than 500 patients per incident. I've been asking for electronic copies of those records since June. I hope to hear soon on an appeal of a decision last fall by HHS, claiming that the civil rights office can hide those reports while it "investigates" an estimated 30,000 or more breaches they describe.

Second, even the OCR's posted numbers are low.

A Nov. 4 public notice on a breach reported by the UCLA Health System states that "some personal information on 16,288 patients" was stolen, but the wall of shame lists the "individuals affected" in the UCLA incident as 2,761.

UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice "represents the number of individuals who had some information on the hard drive," while the 2,761 figure sent to the OCR "represents the number of people that met the specific criteria" under the federal breach notification rule.

Under the federal rule, Tate says, "the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm." Information on the rest of the individuals, Tate said, did not meet the criteria.

Not to get too harpy, but this breach stuff is long past being ridiculous.

The lawyers are already all over it, and maybe that's what it will take for the industry to finally start addressing the problem. Brian Kabateck, a California lawyer, thinks so.

In the past three months, his Los Angeles law firm has filed a pair class-action breach suits against two of the most highly regarded healthcare systems in the state, University of California, Los Angeles and Stanford, as well as one of the latter's business associates, Multi-Specialty Collection Services.

"I think this is a short blip on the radar," Kabateck said. As the settlement costs pile up, he said, "I think big institutions are going to learn—five years from now, these lawsuits are going to be obsolete."

Right now, though, Kabateck says, "This is not to the level of being an epidemic, but it's close."

By the way, if you're a leader of a provider organization and are interested in health IT, please consider contributing your wisdom to our 22nd annual Modern Healthcare/Modern Physician Survey of Executive Opinions on Key IT Issues. I'd be much obliged. The deadline is Jan. 20, 2012. To participate in the survey, click here.

Follow Joseph Conn on Twitter: @MHJConn.