10 largest HIPAA breaches of 2012
Patient privacy issues plague and persistJanuary 1, 2013From the January 2013 print issue
It's a hard knock life for patient privacy - with this past year alone seeing some of the largest data breaches yet investigated by the Department of Health and Human Services (HHS).
Some 21 million patient health records have been compromised since the Aug. 2009 Breach Notification Rule, which requires that HIPAA-covered groups give notification following a data breach involving 500 or more individuals. And, although a December analysis from The Health Information Trust Alliance found a slight decline of these data breaches since 2009, industry susceptibility is still going strong.
Analyzing data from the HHS, Healthcare IT News compiled a list of the top 10 data breaches in 2012. All told, nearly two million patient records have been compromised at these organizations:
• Utah Department of Health confirmed that a server containing personal health information (PHI) of some 780,000 patients had been actively hacked into starting in March. Officials reported that thieves had begun removing information from the server. Addresses, dates of birth, Social Security numbers, diagnoses codes, national provider identification numbers, billing codes and taxpayer identification numbers were all included on the server. The Utah Department of Technology Services shut down the server when the breach was discovered April 2. The Utah breach stands as the 9th largest data breach ever reported to the HHS.
• Emory Healthcare, the Atlanta-based hospital system announced April 18 that it had misplaced 10 backup disks containing information for more than 315,000 patients. The disks contained information on surgical patients treated between 1990 and 2007 at Emory University Hospital Midtown and the Emory Clinic Ambulatory Surgery Center. Some 228,000 of the files included patient Social Security numbers, names, surgery dates, diagnoses and procedure codes.
• The South Carolina Department of Health and Human Services reported a data breach that started in January when an employee compiled data on more than 228,000 people and transmitted it to a private email account. Officials estimate some 22,600 people had their Medicaid ID numbers stolen, which were linked to their Social Security numbers. Patient names, addresses and birth dates were also stolen as a result of the act. The former employee, Christopher Lykes Jr., was charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information.
• Alere Home Monitoring, a Livermore, Calif.-based company that provides home health anticoagulation monitoring services, reported that on Sept. 23 an unencrypted laptop containing patient names, Social Security numbers, addresses and diagnoses was stolen from an employee's car.
• Memorial Healthcare System in Florida notified some 102,153 patients of a breach that occurred between January 2011 and July 2012. A letter sent to affected patients explained that an employee working for an affiliated physician's office might have improperly accessed patient names, dates of birth and Social Security numbers.