The leader in healthcare business news, research & data
Vital Signs Blog

Major medical records breaches pass 1,000 milestone as enforcement ramps up

Nearly 31.7 million individuals, a number equal to 1 in 10 people in the U.S., have had their medical records exposed through known and reported major data breaches by healthcare providers and their business associates. With 34 publicly reportable breaches coming in June alone, the total number of breaches on the federal “wall of shame” website topped the 1,000 mark this month.

A total of 1,026 breaches have been reported to HHS involving 500 or more individuals since the federal reporting requirement went into effect in September 2009 under the American Recovery and Reinvestment Act, according to the public site kept by HHS' Office for Civil Rights.

In addition, through March 1, 2013, there have been approximately 116,000 reported breaches involving the records of fewer than 500 individuals that are not individually disclosed, according to the most recent OCR count available.

But with the industry's ongoing poor security record as a backdrop, there is evidence that the civil rights office is picking up the pace of its enforcement efforts.

Jerome Meites, the chief regional civil rights counsel for HHS' office covering Illinois, Indiana, Michigan, Minnesota, Ohio and Wisconsin, reportedly told members Thursday of the American Bar Association that enforcement activities in the year ahead surpass those of the past 12 months, according to a report of the presentation in 360 Law.

Meites is not a member of the OCR staff, but has represented the office in several high-profile breach settlement negotiations, including cases brought against drugstore chains CVS and Rite Aid, which combined totaled $3.25 million.

Meites was speaking as an individual, not on behalf of the civil rights office or HHS, said OCR spokeswoman Rachel Seeger.

“If you compare last year's to this year's, we have increased our actions,” Seeger said. “If that's what he was talking about, yes, already you've seen an uptick.”

Last month, the office reached a record settlement amount for a single breach case when it negotiated a combined payment of $4.8 million with New York-Presbyterian Hospital and Columbia University after 6,800 patient records were exposed to the Internet.

But the focus of the civil rights office in the overwhelming majority of cases is to achieve compliance, Seeger said.

“If you take a look at the reports to Congress, which we posted this week, we have investigated over 32,600 (HIPPA complaint) cases (and) over 22,500 of them have closed with corrective action,” Seeger said.

“The majority of these cases are closed with corrective actions that don't result in these monetary settlements.”

“So, we have these 21 cases that have closed with a monetary settlement,” Seeger said. Settlement amounts for these 21 cases total $25.1 million.

The civil rights office has reached five monetary settlements a year for the prior two years, but has four cases already this year, so Meites' prediction is no surprise, said Adam Greene, a partner with Davis Wright Tremaine and a former senior health information-technology and privacy specialist at the OCR.

Greene said there are still “plenty of breaches” being reported, so even with the vast majority being settled through voluntary compliance, “that leaves a lot of room for penalties,” he said.

Follow Joseph Conn on Twitter: @MHJConn


Loading Comments Loading comments...