HHS Security Reporting Requirements Help Paint a Dismal Picture

In the wake of what has been dubbed the most massive breach of private health information since HHS has been record-keeping on these stats, compromised personal information due to hacked medical records is at the forefront of health information technology discussions. Due to HHS tracking and reporting of any breach over a certain size, it is possible to summarize the amount of hacked health data since 2009, and as one source reports, “the number aren’t pretty.” Yet, questions remain as to what this means for patients whose information was accessed and to what extent the health care industry will be motivated to increase safeguards against breaches because of this alarming trend.

HHS Notification Requirements

Pursuant to the terms of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was adopted as part of the American Recovery and Reinvestment Act of 2009 (P.L. 111-5), the Secretary of HHS must “post a list of breaches of unsecured protected health information affecting 500 or more individuals.” In addition to documenting the occurrence of such breaches, HHS also posts other information relating to these breaches including a brief summary of the nature of the breach and the investigation by the HHS Office of Civil Rights (OCR) as well as the name of the private provider who reported the breach.

The Data

The Washington Post Wonkblog recently reviewed the HHS reporting of security breaches and summarized it this way: “Since federal reporting requirements kicked in, [HHS’] database of major breach reports… has tracked 944 incidents affecting personal information from about 30.1 million people.” Notably, that data does not account for the recently publicized hacking of approximately 4.5 million patients’ personal information due to a breach of the electronic health records at Community Health Systems (CHS), a nationwide hospital owner and operating company based out of Franklin, Tennessee. The Washington Post reported that the estimate of the amount that breaches cost the entire health industry each year is approximately 5.6 billion, as the industry has been increasing targeted by hackers around the globe. Indeed, in both 2013 and 2014, the Identity Theft Resource Center (ITRC) found that the health care industry represented the area in which the most data breaches occurred. Specifically in 2013, the ITRC determined that, “the health care sector accounted for 43.8 [percent of total breaches it identified], overtaking the business sector…for the first time since 2005, when the ITRC first began tracking data breaches.” The ITRC qualified these findings noting that breach identification in the health care field has significantly increased due to the HHS breach tracking.

Implications

While the sheer numbers of the security breach data for the health care industry are alarming, the extent to which this affects patients who have their personal information breached is largely unknown. The Post noted that, “a data breach doesn’t necessarily mean a patient is at risk of identity theft—a reportable breach could occur when someone loses a laptop with patient data, or some patient records are tossed in a dumpster.” In the case of the recent CHS breach, investigators were puzzled by the fact that the group suspected of being behind the breach typically only sought out intellectual property such as trade secrets including drug formulas and device designs in the past. As a result, some investigators thought the breach of the personal information could have pulled by the hackers in an effort to find other, intellectual property rather than a plan to steal identities. The Wall Street Journal analyzed the data made available by HHS and the current CHS hack from the perspective of the health care industry and noted that “CIOs are modifying their approach to cybersecurity, implementing new security software and processes and meeting with their boards.” The piece goes further to state that these CIOs are “motivated out of concern that their industry lags behind others when it comes to cybersecurity,” but perhaps held back from making large changes due to limited budgets that their counterparts in other, private-sector dominated industries do not face.