The number of large breaches of Protected Health Information (PHI) under HIPAA that have been reported on the so-called “Wall of Shame” (the HHS List) maintained by the U.S. Department of Health and Human Services has jumped by 239 to 885 in less than a year.    The most common breach type is “theft” in this ever-lengthening parade on the HHS List of PHI breaches affecting 500 or more individuals (the List Breaches). Previous blog posts in this series including those discussed here and here discussed the volume of List Breaches that occurred in earlier periods.

It took nearly 3½ years between the inception of the HHS List on March 4, 2010 and August 13, 2013, to reach 646 postings, for an annualized average of approximately 189 postings per twelve-month period. In less than twelve months from August 13, 2013 to July 29, 2014, 239 more marchers have joined the parade on the HHS List.

A total of 430 or almost one-half (48.6%) of the total of 885 List Breaches reported the breach type to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 73 additional List Breaches that have reported the breach type as a “loss” of various types (excluding as a loss item any List Breach that also reported theft as a breach type) is added to the 430 theft events, the total for the two categories swells to approximately 503 or 56.8% of the 885 posted List Breaches. Combining the two categories appears to make some sense, as it is likely that a number of the List Breaches categorized as a “loss” event may have involved some criminal aspects.

Even more significant may be the fact that approximately 272 (30.7%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices (collectively, Portable Devices). Theft or loss of Portable Devices thus constituted 54.1% of the approximately 503 List Breaches that reported theft or loss as the breach type.

As has been emphasized in the past, it may have become more a question of when a covered entity (CE), business associate (BA) or subcontractor (SC) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in Portable Devices that can create, receive, maintain and transmit PHI requires CEs, BAs and SCs to perform adequate risk assessments and establish effective policies and procedures respecting employer-supplied and personally-owned Portable Devices.