Healthcare News & Insights

Large health care data breaches declined in 2012

Finally, some good news about health care IT security: Despite an increase in sophisticated cyber attacks, 2012 actually saw fewer large health data breaches than previous years. 

The HITECH Act, passed in 2009, requires health care organizations to report data breaches affecting 500 or more individuals to the Department of Health and Human Services’ Office for Civil Rights (OCR). The agency keeps a list of those data breaches on its website.

Through mid-September, 87 major data breaches had been reported to OCR this year, for an average of 10.2 breaches per month in 2012, which is the lowest of average of any year since the reporting was first required by law. In comparison:

  • 12.8 data breaches per month were reported in 2011
  • 17.8 data breaches per month were reported in 2010, and
  • 13.3 data breaches per month were reported in 2009 (Note: Reporting didn’t start until September of 2009).

The number of individuals affected by the theft of protected health information went down since last year, too. In 2011, there were several massive health data breaches, and the incidents on the list affected an average of 71,368 individuals, Modern Healthcare reports. The number dropped to 22,043 in 2012.

Of course, those numbers don’t include any data breaches affecting fewer than 500 patients, which have become very common as hackers in all industries target smaller organizations more regularly. Often, smaller firms don’t have the same security protections as their larger counterparts.

In fact, a study of health data breaches from Verizon released last month found that most of the incidents the company looked at involved health care organizations with 100 or fewer employees. While a decline in large data breaches is a good, providers should take steps to protect against smaller thefts as well.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.