A research letter (Liu, Musen & Chou, 2015) published recently in the Journal of the American Medical Association1 described breaches of protected health information that had been reported from 2010 through 2013 by entities covered by the Health Insurance Portability and Accountability Act in the United States . Under the Health Information Technology for Economic and Clinical Health Act (2009), breaches involving the acquisition, access, use, or disclosure of protected health information and thus posing a significant risk to affected individuals must be reported.
We extend the original dataset of Liu et. al. to include breaches of health information up to the present. 2
Table 1 summarizes the number of incidents and victims of breaches of health information in the United States from January 2010 to August 2015, inclusive.
The most striking feature is the fluctuation in the number of victims over time generally – and the tremendous spike in the number of victims in 2015 particularly.
Figure 1 depicts the distribution of victims/breach of health information as a series of boxplots.
We see that in seventy-five percent of all incidents, the number of victims/breach over the year has fallen consistently below 104 (10,000). A small number of incidents have involved 100,000 – 1,000,000 victims/breach, and an even smaller number have involved 1,000,000 – 10,000,000 victims/breach. Incidents involving more than 10,000,000 victims/breach made their first appearance in 2015.
Table 2 presents the Medians and Inter-Quartile Ranges of the distributions of victims/breach.
The median number of victims of breaches of health is tending to increase over time, with a related increase in the dispersion of the number of victims/breach about the median.
Our focus in a few subsequent posts will be understanding the dynamics and implications of those breaches that have compromised the health information of 100,000+ patients.
|Affinity Health Plan, Inc.||2010-04-14||344,579|
|Millennium Medical Management Resources, Inc.||2010-04-29||180,111|
|Siemens Medical Solutions, USA, Inc||2010-06-04||130,495|
|Governor’s Office of Information Technology||2010-07-09||105,470|
|Iron Mountain Data Products, Inc. (now known as||2010-07-19||800,000|
|BlueCross BlueShield of Tennessee, Inc.||2010-11-01||1,023,209|
|Triple-S Management, Corp.; Triple-S Salud, Inc.;||2010-11-04||475,000|
|Medical Card System/MCS-HMO/MCS Advantage/MCS Life||2010-11-09||115,000|
|Ankle + Foot Center of Tampa Bay, Inc.||2011-01-03||156,000|
|Seacoast Radiology, PA||2011-01-10||231,400|
|GRM Information Management Services||2011-02-11||1,700,000|
|EISENHOWER MEDICAL CENTER||2011-03-30||514,330|
|Oklaholma State Dept. of Health||2011-04-11||132,940|
|The Nemours Foundation||2011-10-07||1,055,489|
|Science Applications International Corporation (SA||2011-11-04||4,900,000|
|Sutter Medical Foundation||2011-11-17||943,434|
|Utah Department of Technology Services||2012-04-11||780,000|
|South Carolina Department of Health and Human Services||2012-04-24||228,435|
|Memorial Healthcare System||2012-08-16||105,646|
|Alere Home Monitoring, Inc||2012-10-18||116,506|
|Crescent Health Inc. – a Walgreens Company||2013-02-22||109,000|
|Digital Archive Management||2013-05-07||189,489|
|RCR Technology Corporation||2013-07-01||187,533|
|Shred-it International Inc.||2013-07-11||277,014|
|Advocate Health and Hospitals Corporation, d/b/a Advocate Medical Group||2013-08-23||4,029,530|
|AHMC Healthcare Inc. and affiliated Hospitals||2013-10-25||729,000|
|Horizon Healthcare Services, Inc||2014-01-03||839,711|
|St. Joseph Health System||2014-02-05||405,000|
|Indian Health Service||2014-04-01||214,000|
|Sutherland Healthcare Solutions, Inc.||2014-05-22||342,197|
|Montana Department of Public Health and Human Services||2014-07-07||1,062,509|
|Community Health Systems Professional Services Corporation||2014-08-20||4,500,000|
|Xerox State Healthcare, LLC||2014-09-10||2,000,000|
|Touchstone Medical Imaging, LLC||2014-10-03||307,528|
|Georgia Department of Community Health||2015-03-02||557,779|
|Georgia Department of Community Health||2015-03-02||355,127|
|Virginia Department of Medical Assistance Services (VA-DMAS)||2015-03-12||697,586|
|Anthem, Inc. Affiliated Covered Entity||2015-03-13||78,800,000|
|Premera Blue Cross||2015-03-17||11,000,000|
|Advantage Consolidated LLC||2015-03-18||151,626|
|CareFirst BlueCross BlueShield||2015-05-20||1,100,000|
|Beacon Health System||2015-05-22||306,789|
|University of California, Los Angeles Health||2015-07-17||4,500,000|
|Medical Informatics Engineering||2015-07-23||3,900,000|
|Empi Inc and DJO, LLC||2015-08-20||160,000|
- Liu V, Musen MA, Chou T. Data Breaches of Protected Health Information in the United States. JAMA. 2015;313(14):1471-1473. doi:10.1001/jama.2015.2252. ↩
- Our source of data is the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, Office for Civil Rights, U.S. Department of Health and Human Services, accessed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf on September 1, 2015. ↩