About 30.1M Patients Affected by Health Data Breaches Since 2009
August 20, 2014 in News
The personal data of about 30.1 million people have been affected by the 944 recorded major health data breaches since federal reporting requirements under the 2009 economic stimulus package went into effect, according to an analysis of HHS data, the Washington Post‘s “Wonkblog” reports.
HHS defines a major data breach as one affecting at least 500 people.
According to a “Wonkblog” analysis of the data, the types of reported data breaches include:
- Medical record theft, which has affected 17.4 million individuals;
- Data loss, which has affected 7.2 million individuals;
- Hacking, which has affected 3.6 million individuals; and
- Unauthorized access accounts, which has affected 1.9 million individuals.
The analysis did not include the recent Community Health Systems data breach, which affected 4.5 million patients, according to “Wonkblog.”
In addition, HHS data show a number of smaller-scale breaches, or those affecting less than 500 individuals.
For example, HHS in 2012 received 21,194 reports of smaller breaches that affected a total of 165,135 individuals.
Overall, data breaches cost the industry $5.6 billion per year, according to a Ponenom Institute report (Millman, “Wonkblog,” Washington Post, 8/19).
Health Care CIOs Boost Data Protection, Communication in Wake of Data Breaches
In response to recent high-profile data breaches, some health care CIOs are altering the way their organizations approach cybersecurity, the Wall Street Journal‘s “CIO Journal” reports.
Specifically, CIOs said they are:
- Hiring new, security-focused staff;
- Implementing new security processes;
- Installing new security software; and
- Meeting with their boards more consistently.
Further, some CIOs said they are trying to protect against data breaches through internal training programs that aim to help staff recognize potential threats (Boulton, “CIO Journal,” Wall Street Journal, 8/19).
Hackers Leverage Heartbleed To Access CHS Data
In related news, the hackers who stole the personal data of about 4.5 million CHS patients were able to access the information through the “Heartbleed” Internet bug, according to a data security expert, Reuters reports (Finkle/Kurane, Reuters, 8/20).
CHS discovered the breach last month and believes the cyberattack occurred in April and June.
The incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported, according to data from the Office for Civil Rights (iHealthBeat, 8/18).
The Heartbleed computer bug — discovered by a Google engineer and another security team — infiltrates systems through a Web encryption program known as OpenSSL, which is used by hundreds of thousands of websites including Amazon and Google. Experts say that hackers potentially could use the program to get sensitive information from:
- Email servers;
- Mobile phones; and
- Security firewalls (iHealthBeat, 4/21).
David Kennedy — CEO of TrustedSec, an information security consulting firm — said that sources close to the investigation confirmed that the hackers had used Heartbleed to pose as employees and access the hospital’s network.
Officials for CHS were not available to confirm the report, according to Reuters (Reuters, 8/20).
CHS on Aug. 20 is expected to formally notify OCR and media outlets about the data breach, as well as begin the patient notification process (Goedert, Health Data Management, 8/19).