HHS Report of Breaches, 2011-2012, Part #1
The U.S. Department of Health and Human Services (HHS) submitted their Annual Report to Congress on Breaches of Unsecured Protected Health Information (PHI), for the calendar years 2011-2012. Theft and loss of computing equipment are consistently the most common causes of breach, while hacking began an uptick in 2012.
The number of major breaches (those over 500 individuals) in 2012 declined modestly from the earlier year:
| Reporting Year | Number of Major* Breaches Reported to HHS | Total Number of Individuals Affected** |
| 2011 | 236 | 11,415,185 |
| 2012 | 222 | 3,273,735 |
*Breaches affecting 500 individuals or more
**The total number of individuals affected is approximate because some covered entities report uncertainty about the number of records affected by a breach.
The year 2011 was atypical in terms of the numbers of individuals affected by major breaches, due to several breaches affecting over one million individuals each. The largest breach in 2011 resulted from the loss of a back-up tape by a business associate and affected 4.9 million individuals.Similar to what we saw in 2009-2010, these major breaches made up less than 1% of all breach reports, yet accounted for 97.89% of the 15,005,660 individuals who were affected by a breach of their PHI.
More interesting to note, however, are the general causes of major breaches which offer some insight into data breach prevention. The following chart shows the percentage of major breaches in 2009-2012 categorized by four general causes of breaches.
And this chart shows the percentage of individuals affected by major breaches by general cause.
Much of what is interesting to report here is actually happening in the “Other” category, which includes causes previously tracked separately as “Human Error”, “Improper Disposal” (added as a category in 2010) and “Hacking/IT” (a new category added in 2011/2012.)
When we look at the detailed report, we learn that:
- Theft caused the highest percentage of breaches in 2012–52%–and affected 36% of the total individuals. Theft continues to be one of the top causes of breaches that affect the most people. The lesson to be learned? Encrypt, encrypt, encrypt. Per the HIPAA regulations, loss or theft of encrypted data does NOT constitute a breach.
- Hacking/IT Incidents (which was added as a new category in 2011, and therefore contained in “Other” in the graphics above) remained in the 8%-9% range in both 2011 and 2012. However, in 2012 hacking increased to 27% of the total individuals affected, a dramatic increase from the 1% of total individuals affected in 2011. The lessons? Network security matters. There are numerous controls involved in safeguarding the network including use of secure configurations, robust patching, using strong authentication (consider 2 factor!), and more. To detect problems consider intrusion detection capability and/or network security monitoring. Finally, to support forensic analysis, be sure to enable logging per best practices.
Additional findings from the Report of Breaches will be discussed in our next post.
