Unencrypted Device Breaches Persist
June 24, 2015Health Data Breach Tally Shows String of Theft Incidents
By Marianne Kolbasuk McGee, June 23, 2015.
Although hacker attacks have dominated headlines in recent months, a snapshot of the federal tally of major health data breaches shows that stolen unencrypted devices continue to be a common breach cause, although these incidents usually affect far fewer patients.
As of June 23, the Department of Health and Human Services’ Office for Civil Rights’ “wall of shame” website of health data breaches affecting 500 or more individuals showed 1,251 incidents affecting nearly 134.9 million individuals.
Those totals have grown from 1,213 breaches affecting 133.2 million individuals in an April 29 snapshot prepared by Information Security Media Group (see Breach Tally Shows More Hacker Attacks).
The federal tally lists all major breaches involving protected health information since September 2009, when the HIPAA Breach Notification rule went into effect. As of June 23, about 52 percent of breaches on the tally listed “theft” as the cause.
Among the breaches added to the tally in recent weeks are about a dozen involving stolen unencrypted computers. Lately, those type of incidents have been overshadowed by massive hacking attacks, such as those that hit Anthem Inc. and Premera Blue Cross.
“Although we’ve seen some large hacking attacks, they are aimed at higher-profile organizations than the more typical provider organization,” says privacy and security expert Kate Borten, founder of the consulting firm, The Marblehead Group. “Attackers know that these organizations have a very high volume of valuable data. But I continue to believe that unencrypted PHI on devices and media that are lost or stolen is ‘the’ most common breach scenario affecting organizations of any size.”
Borten predicts that many incidents involving unencrypted devices will continue to be added to the wall of shame. “Getting those devices encrypted is an ongoing challenge when we expand the requirement to tablets and smartphones, particularly when owned by the users, not the organization,” she says. “We also shouldn’t overlook encryption of media, including tapes, disks and USB storage drives.”
Unencrypted Device Breaches
The largest breach involving unencrypted devices that was recently added to the tally was an incident reported to HHS on June 1 by Oregon Health Co-Op., an insurer.
That incident, which impacted 14,000 individuals, involved a laptop stolen on April 3. In a statement, the insurer says the device contained member and dependent names, addresses, health plan and identification numbers, dates of birth and Social Security numbers. “There is no indication this personal information has been accessed or inappropriately used by unauthorized individuals,” the statement says.
Also recently added to the federal tally was a breach affecting 12,000 individuals reported on June 10 by Nevada healthcare provider Implants, Dentures & Dental, which is listed on the federal tally as “doing business as Half Dental.” The incident is listed as a theft involving electronic medical records, a laptop, a network server and other portable electronic devices.
In addition to the recent incidents involving stolen or lost unencrypted devices, several breaches added to the wall of shame involve loss or stolen paper records or film.
“Breaches of non-electronic film and paper will never end, but at least these breaches are typically limited to one or a small number of affected individuals,” Borten says. Because many of the breaches involving paper or film are often due to human error, “effective, repeated training is essential” to help prevention of such incidents, she says.
