It's a hard knock life for patient privacy - with this past year alone seeing some of the largest data breaches yet investigated by the Department of Health and Human Services (HHS).
Some 21 million patient health records have been compromised since the Aug. 2009 Breach Notification Rule, which requires that HIPAA-covered groups give notification following a data breach involving 500 or more individuals. And, although a December analysis from The Health Information Trust Alliance found a slight decline of these data breaches since 2009, industry susceptibility is still going strong.
Analyzing data from the HHS, Healthcare IT News compiled a list of the top 10 data breaches in 2012. All told, nearly two million patient records have been compromised at these organizations:
• Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah Department of Technology Services shut down the server when the breach was discovered April 2. The Utah breach stands as the 9th largest data breach ever reported to the HHS.
• Emory Healthcare, the Atlanta-based hospital system announced April 18 that it had misplaced 10 backup disks containing information for more than 315,000 patients. The disks contained information on surgical patients treated between 1990 and 2007 at Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Some 228,000 of the files included patient Social Security numbers, names, surgery dates, diagnoses and procedure codes.
• The South Carolina Department of Health and Human Services reported a data breach that started in January when an employee compiled data on more than 228,000 people and transmitted it to a private email account. Officials estimate some 22,600 people had their Medicaid ID numbers stolen, which were linked to their Social Security numbers. Patient names, addresses and birth dates were also stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.
• Alere Home Monitoring, a Livermore, Calif.-based company that provides home health anticoagulation monitoring services, reported that on Sept. 23 an unencrypted laptop containing patient names, Social Security numbers, addresses and diagnoses was stolen from an employee's car.
• Memorial Healthcare System in Florida notified some 102,153 patients of a breach that occurred between January 2011 and July 2012. A letter sent to affected patients explained that an employee working for an affiliated physician's office might have improperly accessed patient names, dates of birth and Social Security numbers.
• Howard University Hospital in Washington, D.C., notified 34,503 patients of a potential breach of their PHI that occurred in January. An unencrypted laptop was stolen from a contractor's vehicle. The records stolen did contain patient names, addresses, Social Security numbers and diagnoses for many affected. Moreover, the hospital reported that the contractor had stopped working at Howard University Hospital in 2011 but violated policy and continued to download patient data.
• Apria Healthcare, a Lake Forest, Calif.-based home healthcare service company, reported that in June an unencrypted laptop containing the PHI of some 64,846 patients was stolen from an employee's locked car in Phoenix. Patient names, phone numbers, Social Security numbers and possibly clinical data were contained on the laptop.
• The University of Miami reported a July data breach after two university employees were inappropriately accessing some 64,846 patients' "face sheets," which included names, dates of birth, insurance policy numbers, partial Social Security numbers and clinical information. Moreover, in both Medicare and Medicaid insurance plans, patient Social Security numbers are used as the insurance policy number, thus, in these cases, full Social Security numbers may have been compromised.
• Safe Ride Services, the Phoenix-based healthcare transportation company announced in February that a former employee may have accessed computer systems starting August 2011 without authorization and ultimately may have deleted service files. The said files contained both insurance information and patient demographics. Officials said the information has since been restored.
• Integrated Medical Services of Fajardo, Puerto Rico reported a data breach in January after a laptop was stolen containing the PHI of some 36,609 patients. The medical services company is affiliated with the San Juan, Puerto Rico-based Quantum Health Consulting.