Data breach reports now posted online

Since the Health and Human Services Dept. started posting a list of health care breaches, there have been 64 incidents reported, affecting more than 1 million people.

When a breach affects more than 500 patients, practices and other health care entities -- or their business associates -- are required to notify the HHS Office for Civil Rights and the media. HHS is required to post a list of the breaches online.

HHS started listing the breaches on its website in February, then updated the list in April. The reported incidents affected 1,243,815 individuals.

Of the 64 breaches:

• Seven involved laptops.
• Twelve involved paper records.
• Eleven involved desktop computers.
• Eight involved either hard drives or network servers.
• Seven involved portable electronic devices.

The remaining incidents either were isolated events that didn't fit into another category or were classified as "other" in the report. Some single events included more than one category -- a theft that included a laptop and a desktop computer, for example.

Theft was the most common cause of a breach, with 44 of the cases classified as such. The others were either loss, unauthorized access, hacking or other causes.

The latest report lists by name hospitals and large medical centers that experienced breaches. Private practices are listed as "private practice," with the city and state, but soon will be named. The report is online (link).

The Health Information Technology for Economic and Clinical Health Act, part of the 2009 federal stimulus package, updated the Health Insurance Portability and Accountability Act to include a notification requirement in the event of a breach.