The California Department of Public Health recently added a breach report to its web site involving California Hospital Medical Center – LA. According to their report of November 2010, in May 2010, the police department discovered face sheets with 102 patients’ names, financial, insurance, and diagnostic information in the trunk of a patient accounts representative’s car. Social Security numbers were also on the face sheets. The employee acknowledged improperly accessing and copying the information which was then sold to another individual.
I mention this breach on this blog for two reasons: (1) I don’t recall ever seeing anything in the media about this breach, and (2) I want to commend California for making so many records involving privacy breaches publicly accessible on their web site. Although their site is somewhat complicated and frustrating to use for research purposes, the CDPH has been extraordinarily helpful in answering questions and helping me locate information.
Several months ago, I asked CDPH if they had any aggregated data on medical privacy breaches. While some information is retained by county offices and not the state agency, the CDPH was able to compile a breakdown of breach reports by year and subcategory for PHIprivacy.net. It is important to note, however that the numbers reported below reflect reports the state received and not the number that were ultimately confirmed.
In the chart below, and as examples, “breach to a person/entity outside facility” does not include employees selling patient information to others, but does include incidents such as misdirected faxes. The subcategory “Breach by person other than HC worker” includes a visitor being able to read a chart left lying on a counter, and “Breach of PHI by health care worker” would include an employee posting something on Facebook or sharing a patient image via cellphone, but also includes employees selling patient information to others for tax refund fraud schemes. Finally, “Breach by health care worker within a facility” includes employee snooping or exceeding authorized access to PHI.
From the data provided below, breaches involving hacks and lost devices declined from fiscal year 2010-2011 to 2011-2012 while breaches involving disclosures of PHI to entities or individuals outside the healthcare (HC) facilities increased. Significantly, breaches by healthcare workers within facilities declined dramatically after fiscal 2010-2011, possibly due to California really cracking down on snooping and unauthorized employee access.
| Number of Breach Intakes Received by State Fiscal Year by Subcategories | ||||||
| Report Date: 2/22/2013* | ||||||
| State Fiscal Year | ||||||
| Subcategory: | 2008/09 | 2009/10 | 2010/11 | 2011/12 | 2012/13* | Subcategory Total |
| Breach of IT system/theft/loss of medical record | 49 | 94 | 271 | 153 | 81 | 648 |
| Breach to person/entity outside facility/hc system | 767 | 2303 | 2719 | 3224 | 2191 | 11204 |
| Breach by person other than HC worker | 2 | 19 | 5 | 10 | 9 | 45 |
| Breach of PHI by health care worker | 49 | 81 | 136 | 220 | 151 | 637 |
| Breach by health care worker within facility/hc system | 114 | 451 | 280 | 6 | 1 | 852 |
| Total | 981 | 2948 | 3411 | 3613 | 2433 | 13386 |
Given that data for Fiscal 2012/2013 are only partial data with more than four months remaining for the fiscal year, projecting any changes from the previous year is a bit difficult, although it appears that breaches generally either stayed at the same rates or declined a bit.
We need more data and analyses like these. HHS provides its own summary of the breach reports it receives involving fewer than 500 patients, but differences in the laws they enforce and how they define categories of breaches make some comparisons between HHS’s reports and California’s reports difficult. Dennis Melamed provides monthly statistics on OCR activities. Based on information provided by the government, he reports that the privacy areas investigated most often are:
- Impermissible uses and disclosures of protected health information (PHI);
- Lack of safeguards of PHI;
- Lack of patient access to their PHI;
- Uses or disclosures of more than the Minimum Necessary PHI; and
- Lack of administrative safeguards of electronic PHI.
Those categories do not permit ready direct comparison to the aggregated data CDPH sent me for California. Some data are available, however. In the only report it has filed with Congress to date, HHS reported:
HHS received approximately 5,521 reports of smaller breaches that occurred between September 23, 2009, and December 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches that occurred between January 1, 2010, and December 31, 2010. These smaller breaches affected more than 50,000 individuals.
Common Causes and Remedies
The majority of small breach reports in 2009 and 2010 involved misdirected communications and affected just one individual each. Often, a clinical or claims record of one individual was mistakenly mailed or faxed to another individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong patient record, emails were sent to the wrong addresses, and member ID cards were mailed to the wrong individuals.
So there is some consistency as both HHS and California report that their largest category of breaches involve misdirected communications, but it would be helpful to have a more standardized breach coding system that HHS and states employ in analyzing data.