Feb. 6—More than 7 million patient health records were breached in 2013, which was a 138 percent increase from the preceding year, according to an annual federal tally.

The 7,095,145 health record breaches, which were totaled by Redspin, an IT security consulting firm, were the most reported since the 10.8 million breaches reported for 2011. Federal rules have required since 2009 that healthcare entities to report such breaches.

Eighty-three percent of the breaches were the result of theft, which was a higher rate than in previous years. The report’s authors anticipated a continued increase in theft driving breaches as the use of mobile devices (35 percent of breaches) increases and workers become more mobile. 

Eighty-five percent of the breaches came through five incidents. The largest breach last year compromised more than 4 million records when four desktop computers were stolen from Advocate Health and Hospitals. A class action lawsuit is pending in that case.

The second largest breach involved more than 800,000 health records on two unencrypted laptops stolen from Horizon Blue Cross Blue Shield of New Jersey. Another class action lawsuit was filed against the insurer claiming the use of inadequate security measures.

Among the steps needed to prevent many of the reported breaches, Redspin officials argued, was widespread use of encryption on stored data, which would have protected stolen data and not require a breach report. The report urged federal regulators to require such encryption through changes to the HIPAA Security Rule.

Although most of the estimated 10 percent of all laptops stolen during their operating lifetimes are not taken for the data, which is usually wiped clean by the thief, “that fact does nothing to minimize [HIPAA-covered entities’] obligations under the breach reporting regulations or avoid potentially costly reparations, penalties, or even legal judgments,” the report stated.

However, the use of encryption “is not a cure-all,” the report warned.

“There are also real risks that mobile devices will be compromised with malware that could infiltrate the IT infrastructure and steal information directly from other systems,” the report said.

Publication Date: Thursday, February 06, 2014