OCR: Health records of over 7 percent of U.S. population breached in past 3 years
Health records of over seven percent of the U.S. population – almost 21 million individuals – have been breached in the past three years, according to OCR. Although it may be somewhat of an apples-to-oranges comparison, it is worth noting that outside the health care arena it is not uncommon for this number of records, and several times this number of records, to be breached in a single incident, in this new era of vanishing personal privacy. The 2012 theft from Amazon/Zappos online shoe retailer of 24 million customer records may be the most recent of the large-scale data breaches, but it is dwarfed by other breaches in recent years including, notably, the 2009 Heartland Payment Systems incident in which 134 million records were compromised. According to the OCR, the 21 million number represents just those records compromised in breaches over a certain threshold and does not include smaller scale breaches.
Via Modern Healthcare:
Since September 2009, there have been 477 breaches reported to the Office for Civil Rights affecting 500 or more people, according to a publicly viewable list on the office's website.
The breach notification and reporting mandate was part of more stringent privacy and security provisions of the American Recovery and Reinvestment Act of 2009.
Tens of thousands of breaches that involve fewer than 500 records have also been reported, according to the Office for Civil Rights, but details of these lesser breaches are not required to be posted to the website.
Six healthcare organizations have suffered breaches compromising 1 million records or more.
The list is topped by an incident last September involving the loss of 4.9 million records by an employee of Science Applications International Corp. He reported to police that some backup tapes carrying data on the medical treatment of military personnel kept by the Tricare Management Activity were stolen from his car in Austin, Texas.
Loss of data by a vendor is nothing unusual. In 100 of these larger breach incidents—roughly 21%—a business associate of a "covered entity" as defined under the Health Insurance Portability and Accountability Act of 1996, also was affected in the breach, Office for Civil Rights data show.
In total, the records of 20,970,222 individuals have been potentially exposed in these major breaches thus far.
The median size of a breach on the list involves the records of 2,184 people; the average is 43,963.
Theft is the most commonly reported breach type (54%), followed by unauthorized access or disclosure (20%), loss (11%), hacking (6%), improper disposal (5%) and other/unknown (4%).
“Large medical-records breaches affect nearly 21 million: OCR” Modern Healthcare (August 1, 2012)