California Healthline Daily Edition

Summaries of health policy coverage from major news organizations

30.1M Patients Affected by Data Breaches Since 2009, Analysis Finds

The personal data of about 30.1 million people have been affected by the 944 recorded major health data breaches since federal reporting requirements under the 2009 economic stimulus package went into effect, according to an analysis of HHS data, the Washington Post's "Wonkblog" reports. 

HHS defines a major data breach as one affecting at least 500 people.

According to a "Wonkblog" analysis of the data, the types of reported data breaches include:

  • Medical record theft, which has affected 17.4 million individuals;
  • Data loss, which has affected 7.2 million individuals;
  • Hacking, which has affected 3.6 million individuals; and
  • Unauthorized access accounts, which has affected 1.9 million individuals.

The analysis did not include the recent Community Health Systems data breach, which affected 4.5 million patients, according to "Wonkblog."

In addition, HHS data show a number of smaller-scale breaches, or those affecting less than 500 individuals.

For example, HHS in 2012 received 21,194 reports of smaller breaches that affected a total of 165,135 individuals.

Overall, data breaches cost the industry $5.6 billion per year, according to a Ponemon Institute report (Millman, "Wonkblog," Washington Post, 8/19).

Health Care CIOs Boost Data Protection, Communication in Wake of Data Breaches

In response to recent high-profile data breaches, some health care CIOs are altering the way their organizations approach cybersecurity, the Wall Street Journal's "CIO Journal" reports.

Specifically, CIOs said they are:

  • Hiring new, security-focused staff;
  • Implementing new security processes;
  • Installing new security software; and
  • Meeting with their boards more consistently.

Further, some CIOs said they are trying to protect against data breaches through internal training programs that aim to help staff recognize potential threats (Boulton, "CIO Journal," Wall Street Journal, 8/19).

Hackers Leverage Heartbleed To Access CHS Data

In related news, the hackers who stole the personal data of about 4.5 million CHS patients were able to access the information through the "Heartbleed" Internet bug, according to a data security expert, Reuters reports (Finkle/Kurane, Reuters, 8/20).

CHS discovered the breach last month and believes the cyberattack occurred in April and June.

The incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported, according to data from the Office for Civil Rights (Kutscher, Modern Healthcare, 8/18).

Security experts said the Heartbleed computer bug could leave hospitals' and providers' online networks -- including email accounts, electronic health records and remote monitoring devices -- vulnerable to attack.

David Harlow, principal of health care law Harlow Group, warned that health groups that do not rely on OpenSSL should be worried about ramifications of the massive breach (California Healthline, 4/15).

David Kennedy -- CEO of TrustedSec, an information security consulting firm -- said that sources close to the investigation confirmed that the hackers had used Heartbleed to pose as employees and access the hospital's network.

Officials for CHS were not available to confirm the report, according to Reuters (Reuters, 8/20).

CHS on Aug. 20 is expected to formally notify OCR and media outlets about the data breach, as well as begin the patient notification process (Goedert, Health Data Management, 8/19).

This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.