Another mind boggling statistic is that 29.2 million patient health records have been compromised in HIPAA data breaches since 2009, according to Redspin, which compiled these numbers in a February 2014 breach report.
But these numbers are skewed since not all breaches are reported. Any breach that involves fewer than 500 people’s health records isn’t required to be publicly reported. According to Lisa Gallagher, the senior director of privacy and security for HIMSS, said at the 2012 Boston Privacy and Security Forum that it’s more likely that 40-45 million patient health care records have been compromised. While she said that’s a more accurate number, it can’t be confirmed since all the data isn’t there.
Redspin also found the percentages of what’s accounted for the HIPAA privacy and security breaches since 2009: 83 percent because of theft, 35 for theft or loss of encrypted devices, 22 due to unauthorized access and 6 from hacking. Many of these breaches could be more easily avoided with consistent risk analysis. Risk analysis failures top the list for the most prevalent security issues for business associates and covered entities based on complaints received by OCR.
While business associates were involved in most of the larger-scale breaches from 2009-2012, only 10 percent were involved in 2013. Business associates and covered entities that violate HIPAA privacy and security rules can face up to $1.5 million in annual fines under the HIPAA Final Omnibus Rule. Only 17 of the 90,000 HIPAA breach cases received by OCR since 2003 have resulted in fines, but it’s anticipated that those numbers will go up, especially since the official audit program goes live this year.