Records of nearly 8 million patients exposed: HHS
Members of Congress are officially on notice of a widespread security problem with medical record-keeping in the U.S. healthcare industry. The Office for Civil Rights at HHS disclosed last week that more than 30,500 breaches of personal health information involving fewer than 500 records each were reported to the office between September 2009 and the end of 2010. Those small breaches affected a total of about 62,000 individuals.
The numbers were in one of two reports delivered to Congress on breaches of medical records, as well as enforcement of the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996. The reports came two days before it was reported that the names, diagnosis codes and other medical information of about 20,000 emergency department patients of Stanford Hospitals & Clinics were posted to the Web a year ago by a vendor’s subcontractor.
The American Recovery and Reinvestment Act of 2009, which amended HIPAA, requires HHS to produce annual reports about violations of the privacy rule, beginning within one year of passage, but these were the first to be issued.
The breach report said the medical records of roughly 7.9 million people were exposed in more than 30,750 total healthcare-related security breaches during the 16-month period.
The stimulus law requires that organizations promptly report breaches of 500 or more records, and basic information about them is published on the agency’s website, so data on these larger breaches has been readily available.
The smaller breaches need only be disclosed to the Office for Civil Rights once a year.
The breach report counted 252 larger breaches, which affected about 7.8 million individuals. These big breaches included some whoppers, each compromising the privacy of more than 1 million people. As of last week, 314 breaches had been posted to the website, involving nearly 11.7 million records.
Lisa Gallagher, senior director of privacy and security for the Chicago-based Healthcare Information and Management Systems Society, said the breach report had little new information, which she has been tracking and analyzing to include in briefings with the industry. “There is a huge awareness issue still.”
The Office for Civil Rights needs to do a much better job of educating data users that breaches are a serious problem, she said.
Stanford spokesman Gary Migdol said in an e-mailed statement that the Palo Alto, Calif., system took immediate action when the breach was discovered Aug. 22. “A full investigation was launched and Stanford Hospital & Clinics has been working very aggressively with the vendor to determine how this occurred, in violation of strong contract commitments to safeguard the privacy and security of patient information.”