Let's Look at the 2021 Wall of Shame
Updated: Jan 6, 2022
The U.S. Department of Health and Human Services (DoHHS) Office for Civil Rights (OCR) maintains a breach portal; specifically, it is the breach record made by a covered entity (CE) or business associate (BA) to the Secretary of unsecured protected health information (PHI) affecting 500 or more individuals (we'll call this a "major breach"). Affectionally called the "OCR Wall of Shame" (go ahead, start typing the phrase and watch autocomplete kick in after a couple of letters...), the information contained is available for download and analysis, so that's what we did. Here are some interesting data points that may aid a HIPAA Security (or Privacy) Officer to communicate trends.
First, is that up to 44,580,340 people had their PHI disclosed improperly resulting from 613 reported major breaches. We don't know how many of these breaches affected the same person, but assume they represent a tiny minority. The largest reported breach was from Florida Healthy Kids Corporation and affected 3.5M individuals, while the smallest was from 21 different reports affecting 500 individuals. With such rounded numbers, we cannot help but to conclude that the actual number of patients affected was a "best guess" and emphasizes our recommendation that each ePHI system administrator document quarterly how many people's information live inside their system. Imagine if even half of these 500s was actually less than that by one or more people and that the breach was unnecessarily posted. We further imagine how much lost business comes from a company being listed on the Wall of Shame.
Second is that 82 breaches were reported by BA, which is significantly down to 13% from the historical 22% average. We hope that this means that more BA are taking HIPAA seriously, but are cautious that most still might not even be aware of their reporting responsibilities. Healthcare providers led the pack with 438 breaches (71%), followed by 91 health plan breaches (15%), and healthcare clearinghouses with two. We were going to include states but the leaders there weren't a surprise (CA, TX, NY).
We'll talk lastly about the types of breach reported. The location of each breach is also available, but we weren't confident how HHS differentiates (for example) a network server and email, since the latter is normally stored on the former (even if said server is "in the cloud"). 33 breaches were paper or film based and those affected 155,124 individuals.
Hacking or IT incident: 461 (42,384,483 individuals affected)
Unauthorized Access / Disclosure: 119 (1,876,111 individuals affected)
Theft: 20 (101,771 individuals affected)
Loss: 8 (27,435 individuals affected)
Improper Disposal: 5 (190,540 individuals affected)
No matter the statistics, none of this is good news. The affected patients' PHI has been compromised and the affected CE or BA will all but likely be sued in addition to facing federal and/or state action. Don't make 2022 the year your company ends up on the Wall of Shame. Reach out and take a proactive stance to protect your patients and your organization.
Stay (HIPAA) safe,