Healthcare IT News' top 10 list of the largest healthcare data breaches of 2012 should send one clear message: Healthcare organizations are not taking the steps necessary to protect patients' personal health information.
Using data from the Department of Health and Human Services (HHS), we found the majority (6 out of 10) of breaches on the list this year involved the theft of a hospital's unencrypted laptop. Three out of 10 involved employees or former employees downloading, emailing or inappropriately accessing patient information.
The largest such incident of 2012 also proved to be one of the largest data breaches recorded by the HHS. Officials at the Utah Department of Health reported in April that a server containing the PHI of some 780,000 patients had been hacked. The hackers had removed information from the server, including patient addresses, dates of birth, Social Security numbers, diagnoses and taxpayer identification numbers.
[See also: Top 5: Data breach winners and losers by state.]
2012 also played host to several repeat offenders. Hollywood, Fla.-based Memorial Healthcare System, for instance, experienced a data breach just last year involving nearly 10,000 patient records. The University of Miami together with the Utah Department of Health also have a blackened record in regards to protecting patients' PHI, as both groups reported additional breaches within the past two years.
Together with the top 10 list, there are also other groups deserving an honorable mention this year. The Indianapolis-based Cancer Care Group, for example, announced in August that PHI for as many as 55,000 patients could have been compromised after a company laptop was stolen. Upon further investigation by the HHS, Cancer Care Group could effectively take the No. 9 place on our list.
Privacy experts opine that it's crucial that providers ensure their health IT systems accommodate traditional privacy laws and standards of professional ethics to avoid the habitual occurrences of breaches. In a December interview, Larry Ponemon, president of the Ponemon Institute, told Healthcare IT News Contributing Editor Tom Sullivan that, "All of the evidence suggests that a healthcare record is in fact much, much more valuable than a financial record. It can be used for financial ID theft crimes, or a medical ID theft or both. It provides a dossier of personal information so bad guys can do more and better stuff like create passports, and visas, and because they have physical characteristics as well as information, it’s a big deal. And I see in a number of our studies that it is substantially more valuable than other types of records."
The top 10 healthcare data breaches of 2012:
- Utah Department of Health - 780,000 records
- Emory Healthcare - 315,000 records
- S.C. Dept. of Health and Human Services - 228,435 records
- Alere Home Monitoring, Inc. - 116,506 records
- Memorial Healthcare System, Fla. - 102,153 records
- Howard University Hospital - 66,601 records
- Apria Healthcare - 65,700 records
- University of Miami - 64,846 records
- Safe Ride Services - 42,000 records
Medical Integration Services, Puerto Rico - 36,609 records