Health care sector breaches in the news: just the tip of the iceberg?
Last week, a few mainstream news articles noted that the Identity Theft Resource Center’s database revealed that 113 of the 385 breaches they had recorded for this year involved the health care sector. As Brian Horowitz of eWeek noted, only breaches that include SSN, financial information, or driver’s license numbers are included in ITRC’s database. Breaches are excluded when it is not clear whether there was any information that could lead to identity theft (the organization’s focus) or when there is no media report or primary source that ITRC can rely on.
Because of their criteria and the new HHS web site that reveals breaches that we would not otherwise know about, ITRC’s figures for the health care sector are challenging to interpret. On the one hand, there will appear to be more health care sector breaches this year thanks to the HHS resource. On the other hand, their numbers for health care will continue to be a significant underestimate of the actual number of breaches involving covered entities or non-covered entities who are in possession of sensitive health information.
For purposes of contrast, and for the same time period in question (2010), I decided to run a quick check on PHIprivacy.net and DataBreaches.net to see how many U.S. health care sector breaches or incidents involving medical data have been reported on my sites this year.
There were over 200 U.S. breaches involving the health care sector or medical data reported on my sites this year. In comparison: ITRC currently shows 119 breaches out of 400 total, the Privacy Rights Clearinghouse shows 94 out of of 333 total, and the Open Security Foundation’s DataLossDB shows 60 out of 175. While their ratios are fairly comparable to each, the total numbers seem to indicate some hefty differences if we want to get a ballpark estimate of how prevalent breaches in this sector really are.
As crude/quick fingers-and-toes type of estimates:
- About 60 of 206 incidents reported on PHIprivacy.net and DataBreaches.net involved paper records, and half of those involved proper disposal
- Over 60 incidents involved theft (including some cases involving theft of paper records)
- Approximately 35 incidents involved inadvertent exposure (both paper and electronic)
- Almost 20 incidents involved lost or missing records (paper and electronic)
- Over 30 incidents involved employee misconduct such as ID theft or selling or providing patient records to outsiders
- There were 10 reports of employees snooping in patient records
- Only four incidents involving hacks or malware.
The last figure is particularly concerning to me, as my suspicion is that there have been many more hacks or compromises due to malware and they’re just not being detected.
In any event, we need to remain very cautious in reporting statistics and interpreting them. There’s still too much we are not finding out about.