That sober assessment came from written testimony by Gregory Wilshusen, the GAO's information security issues director, before a Senate Homeland Security and Governmental Affairs subcommittee hearing.
Wilshusen's report, Federal Law Should Be Updated to Address Changing Technology Landscape, focused on data-handling across all federal agencies, but several high-profile healthcare data breaches were mentioned.
One was the October 2009 theft of 57 unencrypted computer drives from an office of Blue Cross and Blue Shield of Tennessee, exposing more than 1 million records. In March, the Blues plan agreed to pay a
$1.5 million penalty for privacy violations. The Tennessee incident is one of the five largest breaches—all involving more than 1 million records—among more than 50,000 breaches that have been reported to the Office for Civil Rights at HHS since September 2009 under the American Recovery and Reinvestment Act's breach notification mandate.
So far, details of 477 of them—those affecting the records of 500 or more individuals–have been posted online by the Civil Rights Office. More than half, or 55%, have involved theft of records or equipment on which those records are stored, while only 8% were attributed to hacking (See chart).
In July, Beth Israel Deaconess Medical Center, Boston, reported it would notify about 3,900 patients that their medical data was on a laptop stolen from a physician, while NYU Langone Medical Center reported 8,400 patients' records were on a physician's stolen laptop.
According to the GAO, the number of data-security incidents involving federal agencies reported to the Department of Homeland Security's U.S. Computer Emergency Readiness Team has risen significantly in recent years, up from 5,503 in fiscal 2005 to 42,887 in fiscal 2011, according to the GAO. Among the 2011 incidents, 15,560 involved the unauthorized disclosure of personally identifiable information, Wilshusen said.
As a potential remedy, Wilshusen proposed that Congress consider amending the Privacy Act of 1974 and the E-Government Act of 2002, which limit the use of personally identifiable information to a stated purpose, and revising the scope of federal data privacy laws “to cover all personally identifiable information collected, used and maintained by the federal government.”
The Privacy Act defines a record as an item maintained by a government agency and a “system of records” as a group of records under the control of an agency that can be retrieved by a person's name or identifier. But while these protections apply to government-run databases, the government also uses many newer Web-based technologies, such as wikis, blogs, video-sharing sites and social media, which are not directly under government control.