Welcome to the Nexus of Ethics, Psychology, Morality, Philosophy and Health Care

Welcome to the nexus of ethics, psychology, morality, technology, health care, and philosophy

Sunday, February 5, 2012

US Health Breach Tally Hits 19 Million

385 Major Incidents Reported Since 2009
By Howard Anderson, January 23, 2012

With the tardy addition of the Sutter Health breach, the U.S. tally of major healthcare information breaches now includes 385 incidents affecting more than 19 million individuals since September 2009.

The Department of Health and Human Services' Office for Civil Rights recently added the Sutter Health breach, which occurred in October, to its official tally of breaches affecting 500 or more individuals. It adds incidents once it confirms the details.

Healthcare information on 943,000 individuals was on an unencrypted desktop computer that was stolen in October from a Sutter facility in California; that total is reflected in the official federal healthcare breach tally. But in announcing the breach, Sutter Health noted that two databases with information on 4.2 million patients were on the device.

A database for Sutter Physician Services, which provides billing and other administrative services for 21 Sutter units, held only limited demographic information on about 3.3 million patients collected from 1995 through January 2011. The device also contained a database with more extensive information on 943,000 Sutter Medical Foundation patients, dating from January 2005 to January 2011. This smaller database included the same demographic information as the larger database, plus dates of service and a description of diagnoses and/or procedures.

Sutter Health faces two class action lawsuits in the wake of the breach.

Breach List Update

In addition to adding the Sutter Health incident, federal officials added five much smaller incidents to the official breach tally in the past month.

Of the 385 incidents affecting 500 or more individuals that are now included in the official tally after being reported to authorities as required under the HIPAA breach notification rule, roughly 55 percent have involved lost or stolen unencrypted electronic devices or media. About 22 percent have involved a business associate.

The entire story is here.