About half of the major breaches affecting more than 500 people were the result of theft, including stolen electronic equipment such as network components, laptops or hard drives.
The largest reported theft affected 1.9 million people, HHS said in its report. This involved the theft of back-up tapes that contained electronic medical records as they were being transported by a vendor to the vendor’s site.
Of the 99 reported incidents of theft in 2010, 42 involved the theft of laptops. The majority of the incidents involved thefts of laptops onsite while a few incidents involved offsite theft, such as theft of a laptop from an employee’s car. Twenty-one incidents involved theft of desktop computers from onsite locations.
Fourteen incidents were reported as theft of “portable electronic device/other”, which were predominately stolen smartphones and flash drives. Finally, seven incidents were reported as thefts of more than one device, such as a laptop and a desktop computer or a desktop computer and network drive, and five incidents involved theft of a network server.
Other reported data breach incidents involved intentional unauthorized access to, use, or disclosure of protected health information; human error; loss of electronic media or paper records containing protected health information; and improper disposal of records.
The HHS report looked at data breaches that occurred between Sept. 23, 2009, when notification requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH) Act went into effect, and Dec. 31, 2010.