Now that the first half of the year is behind us, how is the healthcare community faring? Will the data breaches of this year surpass previous years, leaving entities scrambling and millions of patients left vulnerable?
Let’s take a look at the numbers*:
- Approximately 174,792,250 people have been affected by 1,996 HITECH breaches through July 17, according to an analysis by Health Information Privacy/Security Alert of data released by the HHS Office for Civil Rights (OCR)
- Business Associates were involved in approximately 409 breaches with 31,239,362 patients potentially exposed
- In the past month alone, 40 newly posted breaches affected approximately 802,896 patients
Of the 1,996 breaches from January through mid-July, the leading cause of breach is theft – specifically laptop theft resulting in over 5.5 million individuals impacted. However, as consistent with past months/years, still the greatest vulnerability of any healthcare organizations is hacking/IT incident with a network server. With over 119 million patients affected in the past 6 months, IT incidents still reign supreme.
The chart below, created by Melamedia, HIPAA And Breach Enforcement Statistics, shows the breakdown of number of breaches by type.
Office for Civil Rights
As of June 30, OCR had received 158,834 complaints with the 2017 monthly average hovering around 2,000. This is an uptick compared to 1,500 a month in 2015 and 1,750 in 2016.
So, what is happening with these patient complaints? Figures indicate that OCR has resolved 156,467 of the complaints however only a portion fell within their jurisdiction – some requiring action by a Covered Entity or Business Associate.
The Department of Justice (DoJ) is another crucial component in OCR’s resolve to manage patient complaints. In total, OCR has referred 625 complaints to DoJ for possible criminal prosecution; at this time data is not available on how DoJ handled the referrals. The privacy areas most investigated include:
- Impermissible uses and disclosures of protected health information;
- Lack of safeguards of protected health information;
- Use or disclosure of more than the minimum necessary protected health information; and
- Lack of administrative safeguards of electronic protected health information.
*Information and statistics within this blog provided by Dennis Melamed of Melamedia