The media loves to report horror stories about privacy breaches that result in voluminous amounts of private health information being disclosed.  There were numerous reports of privacy breaches in 2006 and there will certainly be more in 2007.  Breaches in security and privacy are serious matters and steps must be taken to "mitigate harm."  In addition, increasing concerns with identity theft have led numerous states to pass security breach notification laws that require covered entity providers to take affirmative step to notify the affected individuals in the event of such a breach.  Such notification is not mandated under HIPAA. 


The National Conference of State Legislatures (NCSL) reports on its website that as of January 9, 2007, at least 35 states have enacted legislation that requires companies and/or government agencies to disclose security breaches involving personal information to the individuals potentially affected.  Providers should determine if their state has enacted a security breach notification law.  


Meanwhile, here is a list of some fairly recent and highly-publicized breaches that resulted, in at least some cases, a staggering amount of protected health information being compromised:

  • Georgia’s Medicaid and PeachCare for Kids programs are missing data (including names, addresses, birth dates, Social Security numbers) on almost 3 million beneficiaries when a CD containing the data was lost while it was being shipped to a state subcontractor. (April 2007).
  • Providence Health System experienced theft of computer disks and tapes that contained information on 365,000 Providence Home Services patients. (October 2006).
  • Department of Veterans Affairs lost data on 26.5 million veterans and some of their spouses when one of its data analysts had a laptop computer stolen from his home. (May 2006).
  • Sisters of St. Francis hospital in Indiana and Illinois experienced a data breach after a contractor that was working on medical billing records took three CDs containing the personal and medical billing information on 260,000 patients and accidentally left the CDs in a laptop computer bag she returned to a store.
  • Kaiser Permanente sent letters to 25,000 patients who were treated at Kaiser Permanente’s South Bay Medical Center in California after two contract employees were arrested for allegedly stealing their personal information.
  • A nurse at Beaumont Hospital in Detroit had a laptop stolen from her car that contained the names and medical records and SSNs of more than 28,000 Beaumont home care patients.  Aetna, Inc. also reported that an employee’s laptop computer containing personal information on 59,000 members was stolen from an employee’s car.

Now, that would be a lot of individuals to notify . . . .