Publications: From Theft to Error and Everything in Between: An Analysis of Reported Breaches of Unsecured PHI in 2010 and 2011

Over the past two years, healthcare providers and other covered entities have reported breaches¹ of unsecured protected health information (PHI) affecting more than 11.6 million individuals. The more than 25,265 reported breaches that occurred between January 1, 2010, and September 15, 2011, vary in size, from breaches impacting one individual to a breach that impacts 1.9 million individuals. The type of covered entities reporting these breaches also varies, from solo medical practitioners to large health plans, and reports of breaches of unsecured PHI originate from across the nation. Further, the causes of the breaches, as well as the investigation and resolution, also vary.²

Overview of Breach Notification Requirements
Healthcare providers, health plans, and healthcare clearinghouses that are covered entities under the Health Information Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) are required to report certain breaches of PHI to the U.S. Department of Health and Human Services (HHS). The breach notification requirements were established by the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA).³ The HHS Office for Civil Rights (OCR) issued the Interim Final Rule for Breach Notification for Unsecured Protected Health Information (Interim Final Rule) through publication in the Federal Register on August 24, 2009, with an effective date of September 23, 2009. As of September 15, 2011, the Interim Final Rule is still in effect, and OCR has not published a final breach notification rule.⁴

The HITECH Act and the Interim Final Rule require covered entities to provide notification to OCR, as well as affected individuals and, in certain cases, the media, of breaches of unsecured PHI. A business associate is required to notify the covered entity of such a breach.⁵ The HITECH Act defines “unsecured protected health information” as PHI that is not secured by a technology or methodology specified by the HHS Secretary, and the Interim Final Rule requires the specified technology or methodology to render the PHI “unusable, unreadable, or indecipherable to unauthorized individuals.”⁶ In its breach notification guidance and request for information, published in the Federal Register on April 27, 2009, HHS pronounced that encryption and destruction are the designated methodologies for rendering PHI unusable, unreadable, and/or indecipherable to unauthorized individuals.⁷ Therefore, if PHI is encrypted or destroyed, or if it is de-identified,⁸ a covered entity is not required to engage in the breach notification process.

A “breach” is defined as the acquisition, access, use, or disclosure of unsecured PHI in a way that is not permitted under the HIPAA Privacy Rule that compromises the privacy or security of such information.⁹ The Interim Final Rule further defines “compromises the security or privacy of the protected health information” as an action that poses a significant risk of financial, reputational, or other harm to the relevant individual.¹⁰ The analysis to determine this “significant risk” is commonly referred to as a risk assessment.

The HITECH Act provides for three exceptions to the definition of a breach; these exceptions are incorporated in the Interim Final Rule. The first excepts from the breach reporting requirement an unintended acquisition, access, or use of PHI by an employee or an individual acting under the authority of a covered entity or business associate, provided that the acquisition, access, or use was made in good faith and within the scope of authority and provided that the information is not further acquired, accessed, used, or disclosed by any person. The second exception provides that an inadvertent disclosure from an individual otherwise authorized to access PHI at a covered entity’s or business associate’s facility to another person with analogous authorization at the same facility, or a facility participating in the covered entity’s
organized healthcare arrangement, is not deemed a breach so long as the information is not further acquired, accessed, used, or disclosed. Finally, an unauthorized disclosure of PHI to a person when the covered entity or business associate has a good-faith belief that the recipient would not reasonably have been able to retain the information is not considered to be a breach.¹¹

If a potential breach does not meet the requirements of an exception, a covered entity must next engage in a risk assessment to determine whether the action poses a significant risk of financial, reputational, or other harm to the individual at issue. If the action: (1) involves unsecured PHI; (2) fails to meet an exception to the definition of a breach; and (3) is determined to pose a significant risk of harm, the covered entity must notify OCR.

Breaches Reported to OCR

The HITECH Act and the Interim Final Rule divide breaches into two categories: breaches involving less than 500 individuals (Small Breaches) and breaches involving 500 or more individuals (Large Breaches). A covered entity must report a Large Breach to the Secretary of HHS (via OCR) at the same time the covered entity notifies the affected individuals (without unreasonable delay and no more than sixty days following discovery of the breach, subject to limited exceptions). Reports of Small Breaches are due to OCR no later than sixty days following the end of the calendar year in which the breach occurred, although a covered entity may report a Small Breach at any time prior to that date.¹²

2010 Breaches

OCR received reports of more than 25,000 Small Breaches in 2010. Collectively, these breaches involved more than 50,000 individuals. The majority of the reported Small Breaches involved one individual per breach. OCR, in its first annual report to Congress, reports that the majority of these breaches involved misdirected communications, such as a misdirected email or a file attached to the wrong record. Certain of the Small Breaches involved test results sent to the incorrect individual, incorrect files attached to a patient record, and member identification cards mailed to an incorrect individual.¹³

The covered entities, in their breach notification reports, informed OCR that they fixed software “glitches” related to patient names and contact information, modified their policies and procedures, and instituted new training programs for employees handling PHI.¹⁴

With respect to Large Breaches that occurred in 2010, OCR received 210 reports. These breaches ranged from three breaches, each of which impacted 500 individuals, to a single breach that impacted 1.7 million individuals. Collectively, the Large Breaches occurring in 2010 impacted approximately 5.4 million individuals.¹⁵

Theft, the most common cause reported for the Large Breaches, was a factor in 113 Large Breaches occurring in 2010, or 54%. In the breach that affected the PHI of 1.7 million people, theft was reported as the cause.¹⁶ In this particular breach, a business associate providing information services to a hospital system left a vehicle unlocked and unattended and a person stole electronic files containing PHI.¹⁷ Of the Large Breaches occurring in 2010 that cited theft as the cause, less than 8% dealt with the theft of non-electronic information; the majority of such breaches dealt with stolen laptops, computers, servers, electronic media, or portable electronic devices. Specific examples of Large Breaches caused by theft involved a laptop stolen from an employee’s residence, a computer server stolen during an office burglary, and
the theft of three desktop computers, one laptop computer, and a backup drive.¹⁸

The unauthorized access to or disclosure of PHI was the second largest category of Large Breaches in 2010, as it was a factor in forty-five reported breaches, or 21%. Examples include a business associate that sent group emails without concealing the recipient list, letters sent to patients by a covered entity that had the patients’ Social Security numbers on the envelope, and a business associate of a health plan that sent coverage determination letters to incorrect addresses. Loss of PHI was the next most common cause of the Large Breaches, cited as a factor in thirty-nine Large Breaches, or 18%. For example, a covered entity mistakenly sent large volumes of PHI to a recycling center. Other reported causes of Large Breaches occurring in 2010 were improper disposal, hacking or an information technology incident, and two breaches where the covered entities reported unknown causes.¹⁹

The covered entities reporting Large Breaches occurring in 2010 were categorically and geographically diverse, from dental practices to hospital systems to health plans to laboratories. Breaches were reported in New York, California, Texas, Puerto Rico, Idaho, Arkansas, and Rhode Island, among other locales. The reported data shows the involvement of business associates in forty-one of the Large Breaches occurring in 2010, or 19%.²⁰

OCR lists forty-four of the Large Breaches as having completed and closed investigations. The majority of these breaches occurred in the first half of 2010. The data posted by OCR lists resolutions ranging from changes to data and file storage to creation of new policies and procedures and staff training on such new processes. Resolution of certain breaches of electronic PHI included the future use of encryption technology and additional technical safeguards.

2011 Breaches

OCR lists fifty-five Large Breaches reported by covered entities and occurring in 2011. These breaches range from a theft of paper records impacting 550 individuals to loss of server drives by a business associate,²¹ impacting 1.9 million individuals. The Large Breaches occurring in 2011 and posted by OCR through September 16, 2011, collectively impact almost 3.4 million individuals.²²

The covered entities reporting these breaches cite three main categories that account for more than 75% of these incidents: theft, unauthorized access or disclosure, and improper disposal. Similar to 2010, theft is the largest reported cause, as it is a factor in 45% of the incidents. The vast majority of the thefts reported dealt with laptops, computers, or other electronic devices.²³ For example, a healthcare system reported a computer containing PHI stolen from an employee’s vehicle. This breach impacted 400,000 individuals.²⁴

One Large Breach reported as caused by an unauthorized access or disclosure dealt with a mailing by a health plan’s business associate that disclosed PHI through the windows in the envelopes.²⁵ In another unauthorized access or disclosure breach, individuals inappropriately accessed and removed PHI from a hospital; the hospital learned from law enforcement that the perpetrators may have used this data to file fraudulent income tax returns.²⁶ These breaches collectively impacted 5,453 individuals.²⁷

Ten of these Large Breaches involved business associates. The covered entities reporting the breaches spanned all types of covered entities, from health plans to hospitals to physicians to dentists. Similar to entities reporting Large Breaches in 2010, the covered entities reporting such breaches in 2011 were geographically diverse.²⁸

Of the reported Large Breaches occurring in 2011, OCR completed and closed only one investigation. The breach at issue involved a theft of a laptop containing PHI from the vehicle of a business associate. The covered entity did not have a business associate agreement
with the contractor at the time of the breach; OCR reports that its investigation resulted in the covered entity developing policies governing contractors and business associate agreements.²⁹

With respect to Small Breaches that occurred in 2011, as covered entities have until early 2012 to report these breaches, OCR does not provide data on the number, type, and scope of these breaches until its next report to Congress.³⁰

Conclusion
The breach reports submitted for breaches occurring in 2010 and 2011 show that breaches occur at covered entities of each type and providers large and small. Some involve business associates, but the majority are direct breaches by the covered entities. The largest cited cause of the Large Breaches is theft, particularly theft of electronic devices. While security measures are being tightened, policies revised, employees sanctioned, and workforce members trained, breaches of unsecured PHI have impacted millions of individuals.

Copyright 2011 American Health Lawyers Association, Washington, DC
Reprint permission granted.

¹ For purposes of this article, the author refers to any breach of unsecured protected health information (PHI) reported to the Office for Civil Rights (OCR) as a “breach” irrespective as to whether it qualified for an exception to the definition of a “breach” or whether it met the elements of a “breach.”
² U.S. Department of Health and Human Services (HHS), OCR, Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Years 2009 and 2010, 4-9 (Sept. 1, 2011), at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachrept.pdf (hereinafter Report to Congress); HHS, OCR, Breaches Affecting 500 or More Individuals, at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html (last visited Sept. 16, 2011) (OCR Website).
³ Pub. L. 111-5, Division A, Title XIII and Division B, Title IV (hereinafter, HITECH Act).
⁴ HHS submitted final regulations to the Office of Management and Budget for regulatory review in May 2010 but withdrew the regulations in September 2010 for further HHS review.
⁵ HITECH Act, § 13402; 45 C.F.R. §§ 404-10.
⁶ HITECH Act, § 13402(h); 45 C.F.R. § 164.402.
⁷ 74 Fed. Reg. 19009-10 (Apr. 27, 2009). Additional guidance on valid encryption processes can be found in National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, at http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf; NIST Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, at http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf; NIST Special Publication 800-77, Guide to IPsec VPNs, at http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf; and NIST Special Publication 800-113, Guide to SSL VPNs, at http://csrc.nist.gov/publications/nistpubs/800-113/SP800-113.pdf. Paper, film, and other “hard copy” media is considered to be destroyed if shredded or destroyed such that the PHI cannot be read or otherwise reconstructed. 74 Fed. Reg. 19010 (Apr.27, 2009). Electronic media must be cleared, purged, or destroyed in accordance with NIST Special Publication 800-88, Guidelines for Medial Sanitization, at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_rev1.pdf.
⁸ De-identified PHI is not regulated under HIPAA and thus not subject to the breach notification requirements. See 74 Fed. Reg. 19008 (Apr. 27, 2009).
⁹ 45 C.F.R. § 164.402.
¹⁰ Id.
¹¹ HITECH Act § 13400(1)(B); 45 C.F.R. § 164.402.
¹² 45 C.F.R. § 164.408.
¹³ Report to Congress at 9.
¹⁴ Id.
¹⁵ See OCR website, www.hhs.gov/ocr/office/index.html.
¹⁶ Id.
¹⁷ See New York City Health and Hospitals Corporation, HHC Reports Theft of Personal Health Information (Feb. 11, 2011), at www.nyc.gov/html/hhc/html/pressroom/pr-20110211-data-theft.shtml.
¹⁸ See OCR website, www.hhs.gov/ocr/office/index.html.
¹⁹ Id.
²⁰ Id.
²¹ Health Net Inc., Health Net, Inc. Investigating Unaccounted-for Server Drives (Mar. 14, 2011), at http://healthnet.tekgroup.com/article_display.cfm?article_id=5529.
²² See OCR website, www.hhs.gov/ocr/office/index.html.
²³ Id.
²⁴ Id. Spartanburg Regional Healthcare System, Letter to Patients, at www.spartanburgregional.com/Pages/PatientNotice.aspx (last visited Sept. 19, 2011).
²⁵ Molina Medicare, Molina Medicare Website Substitute Breach Notification (July 21, 2011), at www.molinamedicare.com/pdf/Molina%20Medicare%20Web%20posting.pdf.
²⁶ Troy Regional Medical Center, Troy Regional Medical Center Notifies Patients of Data Theft (July 6, 2011), at www.troymedicalcenter.com/getpage.php?name=news&sub=About%20Us.
²⁷ See OCR website, www.hhs.gov/ocr/office/index.html.
²⁸ Id.
²⁹ Id.
³⁰ Email from Amanda Fine, HHS, OCR, to Valerie Breslin Montague (Sept. 19, 2011, 16:41:00 CST) (on file with author).