Nearly 500 total data breaches, each affecting at least 500 patients have been reported in the past three years as required by the HITECH Act, according to a report on the history of health care data breaches. There were more than 57,000 breaches that individually affected less than 500 people in that same period, underscoring the importance of a reliable data breach response plan.
The size of data breach determines whether it meets HIPAA reporting standards, but any breach should be considered significant due to possible legal ramifications brought on by the affected individuals. More than a third (38%) of breaches affected 10 to 100 patients, according to a survey of more than 450 health care employees. Data breaches appear to be increasing, with 45% of survey respondents reporting they’ve suffered five data breaches in the last two years, an increase from 29% two years ago.
Patient files contain private identifying data, like social security numbers, in addition to medical information. A data breach response plan should be in place so staff can follow security protocols in the wake of a breach and to prevent any further damage. Alerts should be sent both internally to the health care organization’s security team, and externally to the local police, in the case of a health care data breach.
The best protection strategy is to prevent data breaches. Respondents to a health care data breach survey agreed on few main areas of focus for data breach protection, including updating and testing the data breach response and identifying medical data theft. Medical data theft can be more dangerous because the perpetrator’s motive is to steal information, whereas a laptop thief may only be after the device itself. Medical data theft occurred 1.85 million times in the U.S. in 2012.
The Sony PlayStation 3 network hack in 2011 was an example of a large-scale data breach, though it didn’t directly affect the health care industry. Sony was criticized for its reaction to the breach, particularly their lack of timely communication with affected users. All of their 77 million users were advised to check their accounts for hacked data. Sony hired an outside firm to investigate and informed the public of the data breach more than a week after it occurred. Users were left in the dark and off of the PlayStation Network while waiting for Sony’s response.