Under Section 13402(i) of HITECH, HHS is required to submit to Congress an annual report containing the number and nature of breaches reported, and the actions taken in response to those breaches. Section 13424(2) of the HITECH Act requires the Secretary to make each report available to the public on the HHS website.
HHS had issued one report for 2009-2010, and has now issued its report for the period January 1, 2011 – December 31, 2012:
Submission Letters for the 2011 – 2012 Report to Congress on the Breach Notification Program
2011 – 2012 Report to Congress on the Breach Notification Program (29 pp, pdf)
I haven’t had time to really read through this yet, but at first glance, it appears that while theft continues to be the single largest category of breaches (with hacking being a second prominent category), loss accounted for the largest percentage of individuals affected in 2011 breaches. Additionally, while breach reports from business associates accounted for approximately one fourth of breach reports in 2011 and 2012, they accounted for 64% and 42% of individuals affected in those years.
I’ll likely have more to say once I’ve had time to really go through the report carefully.