Health Breach Tally Hits 6.5 MillionTotal Affected by Breaches Could Hit 8 Million Soon
Not yet included on the list is a health information breach at New York City Health and Hospitals Corp. that may have affected as many as 1.7 million. That incident involved the theft of backup tapes from an unlocked, unattended truck. If the reported number of individuals affected holds up, the incident will be the largest on the federal tally so far.
Also not included is a breach that stemmed from a stolen computer at St. Francis Health System in Oklahoma, affecting 84,000.
Since Jan. 21, 15 incidents affecting a total of 457,000 have been added to the official tally, which is updated when federal officials confirm the details of each event.
As noted last month on HealthcareInfoSecurity.com, a spokesman for the Department of Health and Human Services' Office for Civil Rights said it's possible a breach incident in Puerto Rico that apparently affected about 400,000 individuals may be double-counted on the office's health information breach list. But so far, the office has not re-adjusted that tally.
Breach StatisticsRoughly 22 percent of all incidents on the list involve business associates, and more than half involve the theft or loss of computer devices.
The two most significant breach incidents added to the tally in recent week involved hacking incidents at clinics.
Seacoast Radiology in New Hampshire reported an incident that affected 231,000 individuals and involved hackers using a server to gain bandwidth to play a video game.
Ankle & Foot Center of Tampa reported a hacking incident that affected 156,000; a server containing its practice management system was accessed.
HITECH Act MandateThe Office for Civil Rights began posting incidents to its breach list on Feb. 22, 2010, for cases dating back to Sept. 22, 2009, when the HITECH Act breach notification rule took effect.
Under the interim final version of the breach notification rule, breaches affecting 500 or more individuals must be reported to OCR within 60 days. A final version of the HITECH breach notification rule, which could further clarify exactly what types of incidents need to be reported, is expected early this year. The interim version contains a controversial "harm standard," which allows organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm and, thus, must be reported.