Large health-records breaches down this year

There is some good news on the healthcare data-breach front. According to data compiled on the larger breaches of patient-identifiable medical records reported to HHS' Office for Civil Rights, 2012 is on track to record fewer breaches than any full year since the American Recovery and Reinvestment Act of 2009 required such reports.

Through Sept. 15, 87 major breaches this year have made the Civil Rights Office's "wall of shame" for incidents involving the exposure of records of 500 or more individuals.

That's an average of 10.2 breaches a month. And that's down from an average of 12.8 a month in 2011, 17.8 a month in 2010 and 13.3 a month for the latter part of 2009, the first year of the reporting program. That year, reports didn't begin until September.

In 2012, among breaches involving 500 or more individuals' records, the average breach involved the records of 22,043 individuals. The 2012 figure is more than a third of the 71,368 average last year, which was ballooned by three of the five largest breaches to make the Civil Rights Office's list. The largest, involving Tricare Management Activity and its data backup vendor, SAIC, exposed the records of 4.9 million active-duty and retired military personnel and their family members.

While progress has been made, it's hardly a record to brag about.

So far this year, more than 1.9 million individuals' records have been exposed in those 87 larger breaches. The median breach involved 2,917 individuals this year, compared with 3,450 in 2009, 2,037 in 2010 and 2,122 in 2011.

All told, 507 breaches involving the exposure of records of nearly 21.3 million individuals in total are posted on the Civil Rights Office's website. HHS' Civil Rights Office does not publicly post the tens of thousands of smaller breaches reported to it involving fewer than 500 records.