Catch these statistics:
96% of health care organizations have experienced at least one data breach in the past two years....Nearly half of health organizations do nothing to protect data on mobile devices ....only 23% of health care organizations use mobile device encryption.
What causes health data breaches?
Cause | In 2010 | In 2011 |
Lost or stolen computing device | 41% | 49% |
Third-party problem | 34% | 46% |
Unintentional employee action | 45% | 41% |
Technical glitch | 31% | 33% |
Criminal attack | 21% | 30% |
Malicious insider | 15% | 14% |
Intentional nonmalicious employee action | 10% | 9% |
Source: "Second Annual Benchmark Study on Patient Privacy & Data Security," Ponemon Institute, December
More than 10 million Americans had their medical data breached in 2011. Another example:
The insurer Health Net suffered one of the worst, when nine data servers went missing from a Northern California data center in January. The servers contained records of nearly two million current and former policy holders.
The Health Net announcement of the breach is here.
The UCLA Health Systems database was breached and a class action filed. A breach involving Sutter Physicians Services (SPS) and Sutter Medical Foundation is ranked as one of the top ten data breaches of 2011. 4.2 million patients had their data exposed, two lawsuits are pending.
Two out of six of our top breaches are medical breaches. Data breaches in the healthcare industry are up 32 percent over last year, according to one report.
That report says breaches of health records are not just up, but "soaring."
The health information of more than 4 million members of the military health plan (TRICARE), (which was maintained by Department of Defense contractor Science Applications International Corporation (SAIC)) was breached in 2011. A $4.9 billion lawsuit is pending. How did it happen? Backup tapes were stolen from a data contractor's car.
I haven't seen any reported data breaches with Good Health Systems, which stores and manages the prescription monitoring data for Colorado and several other states. Its practices, outlined in this Jan. 2011 proposal to Vermont to procure Medicaid rebates, seem designed to maintain security. But it can't guarantee security against hackers and doctor or pharmacy negligence or incompetence.
Here's the (very long) list of health information breaches reported to HHS, involving 500 or more individuals. The New York Times reported in September:
The major breaches — a disconcerting log of stolen laptops, hacked networks, unencrypted records, misdirected mailings, missing files and wayward e-mails — took place in 44 states.
Here's a round-up by state as to what law enforcement must provide -- e.g. probable cause, a court order, an active investigation, or merely a subpoena, to get your information.
Instead of cutting back on these programs, they are being expanded. Several states are implementing real-time reporting of prescriptions.
So long as doctors, pharmacists and their agents can access the databases with only a user name and password, they are as vulnerable to being breached as any other database. That only 1 state has reported a breach so far, doesn't mean more inci