OCR Releases First “Small Breach” Data
By Kevin Heubusch
THE OFFICE FOR Civil Rights has been publicly reporting in- cidents of large-scale health data breaches since early 2010, but last month it reported to Congress numbers that the indus- try has only guessed at to date—the reports it has received of breaches involving fewer than 500 individuals. OCR, it turns out, was flooded with reports of small breaches, logging more than 30,500 incidents for the 15-month period ending December 31, 2010. These “small” breaches were very small, the report reveals, with the majority involving informa- tion on a single individual, typically sent to an incorrect mail or e-mail address or an incorrect fax number.
The Breach Notification Rule
The HITECH Act requires covered entities notify individuals of
breaches of their personal information. It also requires them to
notify the Department of Health and Human Services, of which
OCR is a part. Organizations must report breaches involving
500 or more individuals to HHS within 60 days; they may report
smaller breaches annually, within 60 days of the end of the calendar year in which the breaches occurred.
HITECH requires HHS, in turn, to report the numbers to Congress annually. Last month’s report, a relatively brief document,
was the first.
The number of individuals affected is approximate, OCR notes
in the report, because some organizations were not certain of
the exact number of individuals affected in a given incident.
OCR also notes that it has included in the report all incidents
that organizations have reported, even if the incident may have
been exempted from reporting through one of three caveats included in the breach notification rule.
Only unsecured data qualifies for a breach, so the reports do
not include exposed, lost, or stolen data that were encrypted.
The report also does not reflect breaches that the covered entity
determined posed no financial or personal risk to the individual. The notification rule does not require organizations to notify
individuals or HHS of such events.
Reporting began for incidents occurring on or after September
23, 2009. The report covers the period from that day to the end
of the 2010 calendar year.
Big Is Big
The report’s information on large-scale breaches was not news,
as noted, but OCR’s summary is a useful overview of the data.
In the approximately 15 months ending December 31, 2010,
HHS received 252 reports of large-scale breaches that involved
approximately 7. 8 million people. Organizations reported 207
breaches in 2010 alone, which offers an annual benchmark.
Theft was the leading cause of large breaches in both reporting periods, responsible for 52 percent of reported incidents and
more than half of all individuals affected. Organizations choose
from four causes of breach in 2009; in 2010 OCR added a fifth
category of “improper disposal.”
Small Is Small
Over the 15-month period ending December 31, 2010, OCR received approximately 30,500 reports of breaches involving fewer
than 500 individuals. An estimated 62,000 people were affected.
Although the raw numbers suggest an average of two individuals affected per breach, in reality most breaches involved the
information of a single person.