Landscape of Healthcare Data Breaches
In recent years, the number of reports of healthcare data breaches has skyrocketed. In 2013, the Identity Theft Resource Center (ITRC) identified 267 data breaches within the medical/healthcare industry, constituting 43% of all data breaches tracked by ITRC; in 2012, the ITRC identified 163 medical/healthcare data breaches, which comprised only 34.7% of all data breaches.
Pursuant to the Breach Notification Rule, HIPAA-covered entities (healthcare providers, health plans and healthcare clearinghouses) must notify individuals and OCR (and in some cases the media) of breaches of protected health information (PHI). The Breach Notification Rule further requires business associates to notify covered entities of such breaches. Since reporting began in 2009, OCR has received reports of more than 700 breaches involving 500 or more individuals and 64,000 reports of breaches involving fewer than 500 individuals.
Since 2008, OCR has obtained corrective action from covered entities in more than 13,000 cases and has entered into resolution agreements in 16 cases involving HIPAA noncompliance by covered entities.