Redspin cites the increasing concentration of protected health information (PHI) on unencrypted portable devices and the lack of sufficient oversight of PHI disclosed to hospital’s business associates as the main reasons for the increase.
Malicious attacks (theft, hacking, and insider incidents) continue to cause 60% of all breaches due to the economic value of personal health records sold on the black market and for medical ID theft used to commit Medicare fraud, the report said.
Redspin examined the data breach information on the US Department of Health and Human Services website, which lists a total of 385 breaches affecting over 19 million individuals since breach reporting notification requirements went into effect in August 2009. For a breach to be reported, it must affect 500 individuals or more.
“The velocity of breaches are increasing year over year”, said Daniel W. Berger, Redspin's president and chief executive officer. “This problem is widespread and increasing”, he told Infosecurity.
In addition, the average number of records affected by a single breach has almost doubled, according to Redspin’s report.
“As electronic health records become more widely adopted, it is quite logical that the data becomes concentrated more highly. When you add that concentration of PHI data to the use of portable devices, such as a laptop or thumb drive, you are likely to see more patient records involved in a breach”, Berger said.
“Many of the breaches occurred because of the hospital’s business associate, which has under contract access to PHI of the hospital in order to perform services. It also has a contractual responsibility for maintaining that data as securely as the hospital itself. Clearly, not enough oversight is being done in that regard”, he continued.
Based on security risk assessments that Redspin has done for hospitals, “we found that the business associate problem is not one that anyone has a handle on yet”, Berger noted. Other than through a contract, the hospital does not have control over what the business associates do with the PHI information that they have access to, he added.