Company issues 4th annual report analyzing breaches of protected health information (PHI). Cites 138% increase in large PHI data breaches in 2013; calls out lack of encryption of laptops as major contributing factor.
FEBRUARY 5, 2014 Carpinteria, Calif. – Redspin, Inc., a leading provider of penetration testing and IT security assessments, today released its annual Breach Report 2013 – Protected Health Information. In the report, Redspin provides in-depth analysis of the complete history of PHI data breaches reported to the Department of Health and Human Services (HHS), identifies current trends, and highlights the specific areas most in need of improvement.
The migration from paper-based files to electronic health records (EHR) is well underway. According to industry sources, the number of hospitals that have adopted EHR systems has tripled in the past 3 years. Nearly all health providers have registered for the Federal government’s “Meaningful Use” program – established per the 2009 HITECH Act – which provides monetary incentives based on the adoption, implementation rate, and security of electronic health records.
Yet Redspin reports that nearly 30 million Americans have had their personal health information breached or inadvertently disclosed since 2009. In 2013 alone, 199 incidents of breaches of PHI were reported to HHS impacting over 7 million patient records, a 138% increase over 2012.
“I think the 138% increase in patient records breached caught a lot of people by surprise,” said Daniel W. Berger, Redspin’s President and CEO. “There was a sense that the government’s ‘carrot and stick’ approach – requiring HIPAA security assessments to qualify for meaningful use incentives and increasing OCR enforcement initiatives – was driving real progress.”
“IT security is a complex task,” continues Berger. “Many HIPAA security risk assessments only graze the surface. It is essential that your scope be both broad and deep. The goal is not simply to complete a compliance checklist; it is about safeguarding PHI. That takes organization commitment and investment. Vigilance must be institutionalized.”
In 2013, a single incident – the theft of four desktop computers from an office at Advocate Medical Group – may have exposed over 4 million records alone. The second and third largest breaches were also caused by theft. In each case, unencrypted laptops containing hundreds of thousands of records were stolen. For the past 3 years, Redspin has cited the lack of encryption on portable devices as one of the highest risks to PHI. “It’s only going to get worse given the surge in the use of personally-owned mobile devices at work,” adds Berger. “We understand it can be painful to implement and enforce encryption but it’s less painful than a large breach costing millions of dollars.”