This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Previous blog posts in this series discussed here and here the volume of List Breaches that occurred in earlier periods. As of August 13, 2013, there were postings of 646 List Breaches.
In the almost 3½ years since the inception of the HHS List on March 4, 2010, there have been 646 postings for an annualized average of approximately 189 postings per twelve-month period. Approximately 334 (51.7%) of the postings reported the type of breach to involve “theft” of all kinds, including laptops, other portable electronic devices, desktop computers, network servers, paper records and others. If the approximately 66 additional List Breaches reporting the type of breach as a “loss” of various types is added to the 334 “theft” events, the total for the two categories swells to approximately 400 or 61.9% of the 646 posted List Breaches. Combining the two categories appears to make some sense since it is likely that a number of the List Breaches categorized as a “loss” event may have involved some theft aspects.
Even more significant may be the fact that approximately 230 (35.6%) of the List Breaches reflected the cause or partial cause of the breach to be “theft” or “loss” respecting laptops or other portable electronic devices. Theft or loss of laptops or other portable electronic devices thus constituted 57.5% of the approximately 400 List Breaches that involved reported theft or loss.
It is likely that it will be a number of months after the effective date of the Omnibus Rule on September 23, 2013, that List Breaches can begin to be evaluated under post-Omnibus Rule standards, such as the presumption that a PHI security event is a breach unless established otherwise. It will be interesting to see if any of the numbers reported above materially change in the post-Omnibus Rule environment.
As has been emphasized in the past, it may have become more a question of when a covered entity (“CE”) or business associate (“BA”) will suffer a PHI security breach and how severe the breach will be, rather than if it will ever suffer a breach. The geometric increase in portable electronic devices to receive, access and store PHI should be monitored carefully by CEs and BAs, as it can be expected that this type of security breach will continue to expand. Effective policies and procedures must be established by CEs and BAs to govern use of such electronic devices, both with respect to entity-supplied devices and personal devices. Many individuals have multiple portable electronic devices of both types that may become repositories of unprotected PHI, whether voluntarily or involuntarily.